• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Connecticut Passes Bill to Require Identity Theft Protection Services In Certain Breaches

June 12, 2015 By Privacy, Cyber & Data Strategy Team

On June 11, Connecticut SB949 became a Public Act, after being passed by both chambers of the state legislature. Governor Dannel Malloy can now either sign the bill or take no action for it to become law. SB949 will, among other provisions, require companies that experience a security breach requiring notice to individuals under Connecticut law and involving the individual’s Social Security Number to offer “applicable identity theft prevention services, and, if applicable, identity theft mitigation services” at no cost for at least twelve months. This requirement will take effect on October 1, 2015. In 2014, California’s legislature attempted to pass a similar requirement, but the bill that was passed only includes a requirement for identity theft prevention and mitigation services, when offered, to be offered for a period of at least twelve months.

In addition to the requirement to provide identity theft prevention and mitigation services, the Connecticut bill codifies a hard deadline to provide notice of security breaches to the affected individuals of not later than ninety days after the discovery of the breach, unless an exception applies or a shorter time is required by another federal law.

Companies should not view the 90-day deadline as a safe harbor, however. The same day that SB949 was passed by Connecticut’s House of Representatives, Attorney General George Jepsen issued a statement with his thoughts on both the notification deadline and the requirement for identity theft mitigation services. “We intend to continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification – even if notification is provided less than 90 days after discovery of the breach.”

Similarly, with respect to identity theft mitigation services, Jepsen stated that the twelve month duration should be considered a floor, not a ceiling. “I continue to have enforcement authority to seek more than one year’s protection – and to seek broader kinds of protection – where circumstances warrant.  Indeed, in matters involving breaches of highly sensitive information, like Social Security numbers, my practice has been to demand two years’ of protections.  I intend to continue to that practice,” Jepsen said.

UPDATE: Governor Malloy signed SB949 on July 1, 2015.

Filed Under: Data Breach, Data Security, Legislation, Privacy, Security Breach Tagged With: Identity Theft, US State Law

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.