Connecticut legislators moved forward with a bill that expands existing data privacy laws.
The state Senate voted in favor of Senate Bill No. 117, which outlines procedures for a breach of security involving electronic personal information. It requires a third-party forensic investigation after a “massive breach of security.” The bill defines a breach of security as the unauthorized access to a computer network that results in the disclosure of personal information, other than credit or debit card numbers.
Senator James Maroney is the co-chair of the General Law Committee. Maroney said the difference between the bill and the current law is that it expands the definition of what qualifies as a massive security breach. Companies would need to submit a report to the state Attorney General in the event of a massive breach.
“What this adds in is the requirement for that forensic audit in the event of that massive breach of security. So that’s the big difference here. It requires them to hire a third party to do a forensic audit to determine how the breach happened and the extent of it,” Maroney said.
Security breaches must be reported within 60 days of discovery. In the event of a massive security breach, if a company delays providing a report to the attorney general or fails to investigate the breach, it could be subject to civil penalties of up to $250,000, depending on the size of the business.
“Last year, in the state of Connecticut, there were over 2300 data breaches. Only seven of those would have qualified as a massive data breach, or massive breach of security as defined in this piece of legislation," Maroney said.
Earlier this year, Attorney General William Tong said the state will look into tightening data privacy laws following the release of his office’s annual enforcement report. The Connecticut Data Privacy Act (CTDPA) was passed in 2022 and outlines the state's data privacy laws, compliance expectations, and enforcement for violations.
Under the bill, a massive security breach would be defined as one that affects at least 100,000 residents. That would broaden the criteria for companies required to report breaches. In a previous statement, Tong said updates to the existing laws would allow his office to hold companies accountable.
“Once there's a breach, they're supposed to take action. They're supposed to let us know as soon as possible and then they're supposed to take action to protect all of us,” Tong said. “So this is stuff you don't want out there and now it's out there, swimming out there for 14 months before we know anything.”
