Connecticut privacy breach reporting and cybersecurity safe harbor

Connecticut Governor Ned Lamont signed into law a pair of bills: An Act Concerning Data Privacy Breaches and An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses. Both bills strengthen the state’s data breach reporting laws and provide for a safe harbor against certain damages for businesses who experience a data breach despite having appropriate safeguards in place. These laws are effective October 1, 2021. Employers should review their existing data breach and cybersecurity protocols to ensure compliance with the new requirements. For employers doing business in Connecticut, key provisions are highlighted below.

Data privacy breaches: expanded requirements

An Act Concerning Data Privacy Breaches expands the types of information and individuals subject to data privacy requirements.

  1. Expands data breach notification requirements to anyone who owns, licenses, or maintains computerized data that includes personal information, as opposed to those who do so in the ordinary course of doing business in Connecticut under current law.
  2. Expands the types of information constituting “personal information” subject to data breach notification requirements.
    1. Existing law provides for the following types of information in combination with a person’s first name or first initial and last name: social security number, driver’s license or state ID card number, credit or debit card number, or financial account number in combination with other information that would permit access. The Act adds these additional new information types:
      1. Taxpayer ID number; identity protection personal ID number issued by the IRS; passport number; military ID number; other government issued number issued to verify identity; information about the person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance policy number or subscriber ID number or other unique identifier a health insurer uses to identify the person; or biometric data (e.g. fingerprint, voice print, retina or iris image).
    2. Additionally, the Act provides that the following information also constitutes personal information: a person’s username or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
  3. Abbreviates the data breach notification requirement from ninety (90) days to (60) days following discovery of the breach.
  4. If notice is provided in accordance with HIPAA (Health Information Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) then it shall meet the notice requirements of the Act so long as the Attorney General is provided notice in accordance with the Act.

Safe harbor for businesses

An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses provides for a safe harbor from punitive damages in tort actions brought under the laws of Connecticut or in the courts of Connecticut in which a failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information. In order to be eligible for this safe harbor, the covered entity which experienced the breach must demonstrate that it “created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework”. Example industry frameworks acceptable under the Act include:


  1. “Framework for Improving Critical Infrastructure Cybersecurity" published by the National Institute of Standards and Technology;
  2. The National Institute of Standards and Technology's special publication 800-171;
  3. The National Institute of Standards and Technology's special publications 800-53 and 800-53a;
  4. The Federal Risk and Management Program's "FedRAMP Security Assessment Framework";
  5. The Center for Internet Security's "Center for Internet Security Critical Security Controls for Effective Cyber Defense";
  6. The "ISO/IEC 27000-series" information security standards published by the International Organization for Standardization and the International Electrotechnical Commission; or
  7. The "Payment Card Industry Data Security Standard" together with the current version of one of the applicable industry-recognized cybersecurity frameworks referenced above.


Covered entities may also take advantage of the safe harbor if their cybersecurity programs conform to one of these federal laws:

  1. HIPAA;
  2. Title V of the Gramm-Leach-Bliley Act;
  3. The Federal Information Security Modernization Act; or
  4. Health Information Technology for Economic and Clinical Health Act.


In order to remain eligible for the safe harbor, covered entities whose cybersecurity programs conform to one of the accepted frameworks or standards above must ensure that in the event any of the above frameworks or standards are revised or amended, that such changes are incorporated into their cybersecurity programs within six (6) months of the date of such amendments or published revisions.


Disclaimer: The information contained herein is not intended to be construed as legal advice, nor should it be relied on as such. Employers should closely monitor the rules and regulations specific to their jurisdiction(s) and should seek advice from counsel relative to their rights and responsibilities.

Go back