Data Breach in Connecticut


Data security breach laws you should be aware of in Connecticut.

Statute Codes

Breach notification law in Connecticut is gathered under the Banking Law of Connecticut, Connecticut Gen. Stat § 36a-701b, which includes several different aspects. S.B. 650 became law on June 8, 2005, under public Act 05-148 and became effective January 1, 2006. Six years later, H.B. 6001 became law as of June 15, 2012, under Public Act 12-1, and went into effect October 1, 2012. Lastly, S.B. 949 was signed into law on June 11, 2015, and became binding on October 1, 2015.

Legal Requirements

Connecticut breach notification law applies to entities defined as individuals, agencies, or businesses that regularly maintain, license, or own any PI data. Additionally, entities exterior to Connecticut which contain PI on citizens of Connecticut are included under this statute.

A security breach is defined as access to anything containing PI in an unauthorized way. Should access to such data happen in good faith, it isn’t defined as a breach if such data is additionally used in good faith. If a breach occurs but investigation determines it wasn’t harmful, breach notification isn’t necessary. In Connecticut, you must consult with any relevant local, federal, or state agencies who enforce such laws before making such a determination. If it should develop that notification is necessary, the AG must be notified no later than affected parties are–sooner is better. If third parties are involved–meaning they’ve got PI, you manage as an entity which may be compromised–then they must be notified as well should this be determined necessary.

PI is defined by Connecticut as the first name and last name, or the first initial and last name, of a citizen, combined with additional data such as SSNs, driver’s licenses, state IDs, or any information associated with finances. Credit card numbers, debit card numbers, bank accounts, or access information to bank accounts, is considered PI. Information that’s already been made legally available to the public through government records at local, state, or federal levels is not PI. Media that has been widely distributed is also not PI.

Time Frames

Breach notification must be made without unreasonable delay. Re-establishing normal operations and investigating what initiated the breach are considered reasonable.

Also, an investigation into responsible parties is permissible, should it take no longer than 90 days. 90 days is the upper limit after a breach has been discovered unless there are federal laws in the application which require less time. In that case, federal laws will take precedence.

Notice must be given either in written, telephonic, or electronic form, provided electronic means of notification conform to the E-SIGN Act (15 U.S.C. § 7001). In
Connecticut, if the SSN is compromised by a PI breach, the law requires that the party who was responsible to prevent the breach provide services in identity theft protection. Additionally, associated mitigation may be necessary. No cost is allowed for these services for at least a year. All info for enrollment must be provided to all affected citizens, including how a credit freeze on a resident’s file can be put into effect.


Breach notification in Connecticut is enforced by the AG, who is authorized to seek both injunctive relief and direct damages as applicable.

Contact Security Compliance Associates to Learn More about the Laws and Regulations for a Data Security Breach in Connecticut

SCA has years of experience helping organizations across the United States to prevent and manage potential data breaches. Contact us today at 727-571-1141 to schedule a no-cost consultation. You can also download our free Data Breach Response Guide to learn more about breach notification law in your state.