New legislation governing data breaches and privacy issues is popping up in states across the country. Most recently, Connecticut, Vermont, and Illinois have enacted new laws in these areas.
At long last, the proposed legislation requiring a data breach to be reported has become law in Connecticut. Section 369-701b was unable to move its way through the 2012 General Session of the Connecticut Legislature, but it was recently passed as part of the Connecticut General Assembly's Special Session as an attachment of the Budget Bill.
The new statute, which will become effective on October 1, 2012, is remarkably straightforward and simple in comparison to other state's laws that mandate which breach notification or reporting. Specifically, the data breach statutes of most states provide a type of safe harbor by mandating notification in the event of a data breach of personal information, but defining "personal information" as unencrypted personal information. The effect is that the breach of the encrypted personal information does not require a breach notification. Connecticut's new statute does not allow for such a loophole. For example, under the Connecticut statute, "breach notification" means:
Unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [sec. 369-701b(a)]
Of course, the Connecticut statute isn't perfect, as the resolution of some problems remains unclear. (E.g., would password protection be considered a method that "renders the personal information unreadable or unusable"? Why is the breach regulated to only computerized data?) Still, it is superior to the data breach statutes of most other states, which often require analysis of multiple different sections and complex definitions. Also, as an added bonus, Section 369-701b operates in addition to any other data breach reporting requirements that exist in the Connecticut Statutes or promulgated by industry regulators (e.g., the Connecticut Department of Insurance Bulletin 1C-25). Finally, failure to comply with the new Connecticut Statute constitutes an "unfair trade practice" under Connecticut Statutes section 42-1106 and is enforceable by the Attorney General.
Vermont recently updated its data breach law...