Connecticut

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: No later than 60 days
Government Notification Required: Yes

Conn. Gen. Stat. § 36a-701b

Scope of This Summary:

Notification requirements applicable to any persons who conduct business in the state and own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.

Risk of Harm Threshold

Notification not required if, after appropriate investigation and consultation with relevant federal, state, and local law enforcement, the covered entity reasonably determines the breach will not likely result in harm to affected residents.

Breach Defined

Unauthorized access to or acquisition of covered info.

Encryption Safe Harbor

Statute does not apply to information that is encrypted or secured by other methods that render them unreadable or unusable.

Form of Covered Information

Electronic Only

Covered Information

An individual's first name or first initial and last name in combination with any one or more of the following data elements:

  • Social Security number.
  • Taxpayer identification number.
  • Identity protection personal identification number issued by the United States Internal Revenue Service.
  • Driver's license number, state identification card number, passport number, military identification number or other identification number issued by the government that is commonly used to verify identity.
  • Credit or debit card number.
  • Financial account number in combination with any required security code, access code or password that would permit access to such financial account.
  • Medical information, meaning any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.
  • Health insurance information, meaning an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual.
  • Biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina or iris image.
  • Username or email address in combination with a password or security question and answer that would permit access to an online account.
  • Precise geolocation data (effective Oct. 1, 2023).

Consumer Notice Timing

Must be made without unreasonable delay but no later than 60 days after the discovery of the breach, unless a shorter time is required under federal law, subject to completion of an investigation to determine the nature and scope of the incident, to identify those affected, or to restore the reasonable integrity of the system.

Consumer Notice Method

By written notice, telephone notice, or electronic notice if it is consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

If Social Security numbers are breached or reasonably believed to have been breached, must offer appropriate identity theft prevention and, if applicable, mitigation services at no cost to the resident for not less than 24 months, as well as information on how the resident can place a credit freeze.

Delayed Notice

Notification may be delayed if law enforcement determines that notice will impede a criminal investigation and law enforcement requests notification be delayed.

Government Notice

Covered entity must also provide notice to the Connecticut Attorney General no later than the time notice is provided to the resident.

Consumer Reporting Agency Notice

The Connecticut general breach notification and insurance data security statutes do not require notification to credit reporting agencies.

Exceptions for Other Laws

A covered entity will be deemed compliant with the statute if, in the event of a breach, the covered entity

complies with the breach notification requirements of its functional regulator as defined by the Gramm-Leach-Bliley Act at 15 U.S.C. 6809(2) and notifies affected residents of a breach in accordance with those requirements.

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of breach.

Private Right of Action

The Connecticut general breach notification statute does not provide for a private right of action.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on November 15, 2023