Senate Bill 949 has now gone before the Senate and it has been approved; all that remains before the new Connecticut data breach law is passed is for Gov. Daniel P. Malloy to add his signature, which is expected to happen in the next few days.
The new Connecticut data breach law was introduced to increase protections for consumers following a spate of healthcare data breaches to affect state residents in recent months.
The new Connecticut data breach law increases protections for state residents after a data breach occurs. All companies doing business in the state of Connecticut will be required to offer data breach victims a year of credit monitoring services, free of charge, in the event that their Protected Health Information is exposed.
The aim is to ensure that companies mitigate risk effectively after a breach of data that they store on patients and consumers. Due to the high risk of theft of data for the purposes of committing identity fraud, it was deemed to be necessary to stipulate a minimum period of time in which credit protection services were offered.
Not all healthcare data breaches will warrant the protection services to be provided to breach victims; only those which expose Personally Identifiable Information along with Social Security numbers, driver’s license numbers, credit or debit card details, or a security code; if it is also exposed with a password.
According to Connecticut state Attorney General, George Jepson, the new bill “sets a floor for the duration of the protection and does not state explicitly what features the free protection must include.” This will give organizations some flexibility.
However, a year of credit monitoring/protection services is the minimum requirement. It may be necessary for businesses to offer two years of credit and identity theft protection, or even longer if the risk of fraud is particularly high.
The Health Insurance Portability and Accountability Act (HIPAA) requires all healthcare providers to send notification letters to breach victims within 60 days of a data breach occurring. The new Connecticut data breach bill does not have such strict reporting requirements, and companies must send notifications within 90 days of the breach occurring.
Although the maximum time limit for reporting a data breach is 90 days, businesses must attempt to notify breach victims quickly and alert them “without unreasonable delay”. If a data breach report is delayed for 90 days, the business in question could face sanctions from the attorney general if there is not a valid reason for delaying the notification process.