A change to Connecticut's privacy breach notification law that takes effect this week highlights the need for businesses of all types to remain abreast of the developments in this still-emerging area of the law.
Nearly every business collects and electronically stores information about employees, clients, and customers, such as Social Security numbers and credit card numbers. Ideally, effective data security practices will combat the unauthorized access or acquisition of this information. But even stringent policies can remain vulnerable to private information becoming accidentally or maliciously compromised. Businesses must be prepared to navigate through certain legal requirements if the security of stored personal information is breached.
Starting Oct. 1, a revision to the state's privacy breach notification law requires the Connecticut Office of the Attorney General (OAG) to be notified if an entity that conducts business in Connecticut experiences a security breach of any electronically-stored personal information of a Connecticut resident. The requirement to notify the OAG adds a new wrinkle to an existing privacy breach notification law (Conn. Gen. Stat. § 36a-701b) that became effective on Jan. 1, 2006. The revision does not otherwise make any significant changes to the law (which covers certain 'personal information' such as Social Security numbers, driver's license numbers, and information that permits access to an individual's financial account) but the amendment should give businesses an occasion to brush up on the legal requirements that take effect when a breach occurs.
To help combat the growing problem of identity theft, Connecticut law requires that when a business knows or reasonably believes that the security of its electronically-stored personal information has been breached by "unauthorized access" or "unauthorized acquisition" of the information, each person whose information has been compromised must be notified "without unreasonable delay." The amendment that takes effect this week provides that the OAG must be notified no later than the person whose information has been breached.
An exception exists to the individual notice requirement, but does not appear to be applicable to the new duty to notify the OAG. If, following consultation with relevant law enforcement agencies, the business "reasonably determines that the breach will not likely result in harm," then notification is not necessary. But since the OAG is responsible for enforcement of the statute (and thus a relevant law enforcement agency), a business cannot reasonably claim this exception unless the OAG (and possibly other law enforcement agencies) are first notified and consulted.
Failing to fulfill the statutory reporting duties is a violation of the Connecticut Unfair Trade Practices Act, and may give rise to liability for damages. A business that fails to report a breach could be found liable for the financial loss suffered by those individuals who were subjected to identity theft, to the extent that the financial loss is attributable to the business's failure to report the breach without unreasonable delay.
The Connecticut privacy breach reporting law is part of a patchwork of individual state laws in this area. California enacted the nation's first breach reporting statute in 2002, and now 46 states have enacted such laws. Although many state laws — including Connecticut's — are based on the California law's framework, some important nuances exist among the states. For example, unlike in Connecticut, the New York privacy breach reporting law (N.Y. Gen. Bus. Law § 899-aa) requires breaches affecting more than 5,000 people to be reported directly to credit agencies in addition to the individuals affected.
Connecticut businesses that experience a data breach should be aware of the requirements of other states' laws. For example, the Massachusetts privacy breach reporting law (Mass. Gen. Laws ch. 93H) is broader in scope than the Connecticut law, and applies to any business that keeps personal data about Massachusetts residents, regardless of whether the information was collected or stored in Massachusetts. Thus, a Connecticut business that has employees or customers from Massachusetts may need to comply with the Massachusetts law regarding data security breaches in the event that the personal information of Massachusetts residents is compromised.
In addition to the state requirements, federal mandates may also be imposed. For example, the Health Information Technology for Economic and Clinical Health Act, which was part of the American Recovery and Reinvestment Act of 2009, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) both impose federal requirements regarding security breaches of health-related information.
All businesses should have policies and procedures in place to prevent personal information from being compromised. If a breach occurs, a thorough and current understanding of the applicable legal requirements is critical to avoid potential liability. The change to Connecticut's personal information security breach law that takes effect this week — and the existing legal framework to which it has been added — serves to remind businesses of the important legal duties that can arise following a breach.
Robert Cox is chair of the business and commercial law practice at Halloran & Sage LLP in Hartford. Casey O'Connell of that firm provided research assistance. Reach Cox at email@example.com.