Search form

New Connecticut Law Requires Businesses Offer Identity Theft Protection Services after a Data Breach

By Joseph J. Lazzarotti
  • June 17, 2015

Beginning October 1, 2015, companies that experience a data breach affecting a Connecticut resident must offer that individual free identity-theft prevention services and, if applicable, identity theft mitigation services for at least one year. The breach must include the resident’s name and Social Security number (SSN).

The new law, Public Act No. 15-142, signed by Governor Dannel Malloy on June 11, amends the state’s current breach notification mandate to require covered businesses to offer one year of free identity-theft protection service to each Connecticut resident affected by a data breach of certain personal information, including the resident’s name and SSN. 

The new law also requires that if such services have to be provided, the notification to the affected resident(s) must inform the recipient(s): 

  • how to enroll in the services, and 
  • how to place a credit freeze on their credit file. 

The law also tightens the timeframe for providing all breach notifications (not just those involving free theft protection services). Breach notifications must continue to be made without unreasonable delay; effective October 1, 2015, however, such notifications may not be made later than 90 days after the discovery of the breach, unless a shorter time is required under federal law.

The new mandate has significant implications for companies that have breaches involving SSNs affecting individuals in states such as Connecticut. Companies might feel compelled to offer identity theft protection services to all affected individuals, not just Connecticut residents. Of course, many businesses already provide similar services, but not in all cases.

In addition, businesses should consider evaluating possible providers of identity theft protection services ahead of time to be ready to move quickly in the event of a breach that triggers the new mandate. Some have read the California breach notification law to have a mandate similar to Connecticut’s, requiring one year of free identity theft protection services (the California law is not as clear as the Connecticut law).

Businesses also should determine the scope of services that needs to be offered. A cottage industry of credit monitoring, identity theft protection and remediation services has emerged, some companies offering more extensive and thorough services than others, at varying costs. While the Connecticut law contains no minimum requirements for identity theft prevention or mitigation services, companies should consider the different service providers and levels of service in the marketplace to ensure their needs will be met.

During the legislative process, Connecticut Attorney General George Jepsen acknowledged that the law would set only “a floor for the duration of the protection” and his office may continue to “seek broader kinds of protection.” In particular, in cases where a data breach involves more sensitive personal information, the AG stated he would continue this practice of seeking two years of identity theft prevention or mitigation services, even though the statute requires only one year.

For additional information and assistance with this and other laws, please contact a member of our Privacy, e-Communication and Data Security practice or the Jackson Lewis attorney with whom you regularly work.

©2015 Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.

Reproduction of this material in whole or in part is prohibited without the express prior written consent of Jackson Lewis P.C., a law firm that built its reputation on providing workplace law representation to management. Founded in 1958, the firm has grown to more than 900 attorneys in major cities nationwide serving clients across a wide range of practices and industries including government relations, healthcare and sports law. More information about Jackson Lewis can be found at www.jacksonlewis.com.

See AllRelated Articles You May Like

August 1, 2019

Healthcare Organizations, Is Your Patient Portal Secure?

August 1, 2019

Healthcare organizations’ traditional cybersecurity measures are insufficient against today’s cyberattacks, according to a report from LexisNexis® Risk Solutions and the Information Security Media Group released in July 2019. Even as healthcare organizations embrace new technologies (such as patient portals), the report shows that... Read More

July 26, 2019

New York Enacts SHIELD Act, Adding Data Security Requirements and Strengthening Data Breach Requirements

July 26, 2019

New York has enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to amend the state’s data breach notification law to impose more expansive data security and data breach notification requirements on companies. The move aims to ensure New York residents are better protected against data breaches of their private... Read More

July 10, 2019

2019: The Mid-Year Outlook for Employers

July 10, 2019

The first six months of 2019 have proven to be busy, challenging professionals in the labor and employment communities to keep up with a number of newly enacted laws and regulations. In the 2019: Mid-Year Outlook for Employers, Jackson Lewis attorneys provide a snapshot of activity from the first half of the year as well as a preview of... Read More