Cyber Threat Report

Connecticut Expands Data Breach Notification Law Effective 10/1/21

The Connecticut (CT) State Legislature has enacted major changes to CT Data Breach Notification Laws, effective October 1, 2021. These changes are a direct result of the worsening threat landscape, and it is safe to say that regulations will most likely continue to be enacted at both the state and federal levels.  


The adage of “the best defense is a good offense” has never been truer and if you don’t already have an up-to-date and comprehensive cyber security and incident response plan, you are already behind the curve. Those of you who have these plans will need to keep up with changes and update them accordingly. 

This link will take you to the newly enacted CT Data Breach Notification Law, and below are the highlights:

Expansion of the definition of “personal information”: Bill #5310 PA21-59 expands “personal information” to also include taxpayer identification numbers, IRS identity protection personal identification numbers, passport numbers, military ID or other government ID, certain medical information, health insurance policy information, biometric information, and username or email address when in combination passwords, or security questions and answers.

HIPAA/HITECH Exemption, Except for AG Notice: If breach notice is provided to Connecticut residents in compliance with HIPAA and HITECH, the notice will be considered in compliance with State requirements. It is important to bear in mind that notification must still be made to the CT Attorney General’s (AG) office at the same time when residents are notified. Notification to the AG must not occur after notification is made to residents.

Shortened Notification Requirements: Notification timeframes for both residents and the State AG’s office have been shortened under this new law. What used to allow 90 days has now been shortened to 60 days once the breach has been discovered. The law now mandates that if proper notice cannot be made within the 60-day window, organizations must provide a preliminary notice, after which they are required to follow up with a direct notice as soon as possible. 

We are JANUS Associates - dedicated to improving the information security of our clients, and society at large. In business since 1988, JANUS offers a full range of high-quality cyber security, privacy, and regulatory compliance services at affordable costs.

We understand the challenges that organizations of all sizes face and we can help you achieve your information security goals regardless of your size. Contact us today and speak with a JANUS cyber security professional.

New call-to-action
New call-to-action

Subscribe to Cyber Threat Report