Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

June 8, 2021

Employer data breach rules clarified in new bill awaiting governor’s OK

Businesses must notify the state within 60 days of any data breaches and report potential exposure of more categories of personal information under a bill now awaiting Gov. Ned Lamont’s signature. 

The state senate passed An Act Concerning Data Privacy Breaches late last week and the bill is on the governor’s desk.

“This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents,” Attorney General William Tong said in a statement.

The law broadens the scope of what is considered “personal information” to include medical information, online account information, passport numbers, military identification and health insurance account numbers. Businesses and other entities must notify individuals and the attorney general’s office of a security breach within 60 days, down from 90 days under previous rules.

Business groups including the Insurance Association of Connecticut and the Connecticut Business Industry Association (CBIA) wrote in support of the new data breach notification bill, which was passed unanimously by both house and senate. 

“The bill clarifies and directs how businesses are to handle breaches in security where unauthorized access of electronic files, media, databases or computerized data that contains personal information has occurred,” CBIA Associated Counsel John Blair wrote. 

Data security continues to be a top issue for Connecticut businesses, with another pending bill incentivizing companies to beef up their cybersecurity efforts and shielding companies that enact such policies from legal liability if data is exposed in a cyberattack.

Aetna was fined $1 million last year for a website snafu and envelope mishaps that allowed potential access to patient data. The U.S. Department of Health and Human Services announced the fine in October for violations of HIPAA privacy regulations.

Sign up for Enews


Order a PDF