Connecticut lawmakers have introduced legislation that, if enacted, would significantly expand breach-response obligations for organizations affected by large-scale cybersecurity incidents. As proposed, Raised Senate Bill 117 (SB 117), would create a new category of “massive” data breaches and impose mandatory forensic investigation and reporting requirements that go well beyond Connecticut’s existing breach notification framework.
What Is a “Massive” Breach?
Under the proposal, a “massive breach of security” would be defined as a breach in which the personal information of at least 100,000 Connecticut residents has been—or is reasonably believed to have been—compromised, and the breach occurred due to the unauthorized use of a computer or computer network. By its terms, this definition appears to exclude certain categories of incidents, such as those resulting from the physical loss or theft of devices or media, insider misuse occurring within otherwise authorized systems, and certain accidental disclosures such as misconfigurations or inadvertent data exposure. As a result, the bill appears primarily focused on traditional cyber intrusions rather than all large-scale data exposures, though the application of these carve-outs is likely to be fact-specific and subject to regulatory interpretation.
Mandatory Forensic Investigation and Reporting
For qualifying breaches, SB 117 would require organizations to retain a qualified third‑party forensic examiner immediately upon discovery of the incident. The examiner would be required to investigate the incident and prepare a detailed report explaining how the breach occurred and identifying its root causes, to the extent such information is available. The forensic investigation would be mandatory, and all associated costs would be borne by the affected organization.
The bill would further require submission of the forensic report to the Connecticut Attorney General within 90 days of discovery of a “massive breach” affecting at least 100,000 Connecticut residents, in a form and manner prescribed by the Attorney General. If an organization fails to retain a qualified examiner, the Attorney General would be authorized to independently retain a third-party to conduct the examination and prepare the report on the organization’s behalf, with the costs charged back to the organization. The proposal does not specify how the Attorney General would select a forensic examiner, nor does it impose express limitations on the scope or cost of the examination.
SB 117 also contemplates significant civil penalties for failure to submit a forensic report, reportedly up to $100,000 for small businesses and $500,000 for other entities.
Why This Matters
If enacted, SB 117 would make Connecticut the first state to impose automatic forensic investigation and reporting requirements based primarily on the size of a data breach alone. Beyond the cost, timing, and incident response implications, the proposal raises heightened concerns regarding the creation, handling, and disclosure of sensitive—and potentially privileged—information typically generated during forensic reviews. In particular, the requirement to submit a detailed forensic report to the Attorney General, combined with the Attorney General’s authority to independently retain a forensic examiner if an organization fails to do so, increases the risk that materials traditionally developed under counsel’s direction may be subject to regulatory disclosure. In such circumstances, organizations could consider engaging two separate forensic vendors – one forensic vendor retained at the direction of counsel to support legal advice and preserve privilege, and a second vendor engaged to satisfy statutory or regulatory reporting requirements where the work would not be intended to be privileged. This approach is similar to an approach often taken in large payment card breaches, where organizations retain a Payment Card Forensic Investigator (“PFI”) to meet PCI DSS requirements and report to the card brands, while separately engaging a forensic firm under privilege for legal and litigation-related purposes.
These provisions amplify the importance of proactively aligning incident response protocols, privilege strategies, and forensic vendor engagement structures to preserve attorney‑client privilege and work product protections to the greatest extent possible before an incident occurs.
What Companies Should Do Now
Although SB 117 is currently pending, the bill could take effect as early as October 1, 2026, if enacted. Accordingly, organizations that collect or maintain personal information of Connecticut residents should consider taking proactive steps, including:
- Monitoring legislative developments to understand when and if the proposed requirements take effect.
- Reviewing incident‑response plans and consider any modifications necessary should the mandatory third-party forensic investigations and a fixed 90‑day reporting deadline go into effect.
- Evaluating forensic vendor relationships to ensure qualified resources could be engaged immediately if required.
- Assessing internal escalation protocols for large‑scale incidents that could meet the proposed “massive breach” threshold.
- Coordinating legal, security, and communications teams in advance to plan for regulator engagement and forensic report production following a qualifying incident.
