In the absence of any meaningful moves in Congress to enact uniform data breach notification, the states continue to make adjustments to existing laws to better protect affected residents in their states.

Connecticut is the latest state to amend its data breach notification law this year.  If your company has ever had the unfortunate experience of a major data breach involving Connecticut residents, you may have received a “request” from the Connecticut Attorney General’s office to provide at least two years of identity protection or credit monitoring services to the affected Connecticut residents following the breach.   Last week, Governor Malloy signed into law a bill that will require that offer of services and require an outside deadline by which companies must notify.    Connecticut now joins California as states including some form of credit monitoring in their data breach notification laws.

The basics of SB 949:

  • Effective October 1, 2015
  • If breach involves a Connecticut resident’s name and Social Security number, must offer the affected individual “appropriate identity theft prevention services and, if applicable, identity theft mitigation services”
  • No cost to the individual
  • A period of not less than one year
  • Notice must include information on how to enroll in the free service as well as how the affected individual can place a freeze on his or her credit file
  • Notice must be provided “no later than ninety days after the discovery of the breach, unless a shorter time is required under federal law”

The 90-day timeframe for notice is more specific than the existing (and more common) “without unreasonable delay” formulation, however, it is still longer than the notice deadlines in other state notification laws.  For example, Florida has a 30-day provision, and other states have a 45-day provision.

Underlying all of this is Attorney General George Jepsen’s press release commenting on the new law and clearly stating that his office will consider the 90 days to be an “outside limit” for the timing of notification and that his office may consider 90 days to be unreasonable under certain circumstances.  Further, the press release states that his office will continue to press companies to offer more than one year of protection services and will consider the one year to “set a floor” and his office will continue to “demand two years’ of protections” where circumstances warrant.