Connecticut Expands Data Breach Notification Requirements And Establishes A Cybersecurity – Mondaq News Alerts


As we get started, I'd like to say that camDown FREE is your security solution to protect you and your business from webcam hackers!

United States:

Connecticut Expands Data Breach Notification Requirements And Establishes A Cybersecurity "Safe Harbor"

To print this article, all you need is to be registered or login on

On June 16 and July 6, 2021, Connecticut Governor Ned Lamont
signed two new cybersecurity laws that continue the national trend
of expanding cyber incident disclosure obligations, shortening
notification timelines, and incentivizing the implementation of
recognized cybersecurity standards. Both laws take effect on
October 1, 2021.

"An Act Concerning Data Privacy Breaches" Amends
Connecticut's Existing Data Breach Law

The amended data breach law includes three key changes:

  • The time businesses have to notify affected Connecticut
    residents and the Office of the Attorney General of a data breach
    has been shortened from 90 days to no later than 60 days after
    discovery of the breach;
  • If notice cannot be effected within the new 60-day window, a
    novel and significant amendment requires companies to provide
    preliminary substitute notice to individuals, and follow up with
    direct notice as soon as possible; and
  • The law significantly expands the definition of "personal
    information" that may trigger notification obligations to
    include an IRS identity protection personal identification number,
    certain medical information, biometric information, a user name or
    email address in combination with a password or security question
    and answer (regardless of whether or not the individual's name
    is accessed in combination with it), and a number of other data
    elements commonly included in other states' data breach notice

"An Act Incentivizing the Adoption of Cybersecurity
Standards for Businesses" Establishes a Cybersecurity
"Safe Harbor" Statute

The new law will establish an affirmative defense against tort
claims alleging that a business's failure to implement
reasonable cybersecurity controls caused a data breach. Businesses
that have created, maintained, and complied with a written
cybersecurity program can take advantage of this "safe
harbor" if their written cybersecurity program complies with
one or more of the industry-recognized frameworks (such as the
National Institute of Standards and Technology's Cybersecurity
Framework or the Center for Internet Security's Critical
Security Controls) or applicable federal laws (such as the
cybersecurity requirements of the Health Insurance Portability and
Accountability Act).

Connecticut is the third state, after Ohio and Utah, to enact a
cybersecurity safe harbor statute.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Can Hypothetical Risk Factors Be Misleading?

Cooley LLP


In In re Alphabet Securities Litigation, the State of Rhode Island, as lead plaintiff, filed a Rule10b-5 action against Google LLC, its holding company Alphabet, Inc., and certain executives...

In closing, let's keep in mind that camDown FREE is the maximum in security for you and your loved ones and that's the no joke.