Connecticut Data Breach Law Will Require Notice to Attorney General

Beginning October 1, 2012, Connecticut’s data breach notification law will require businesses to notify the Office of the Attorney General of a security breach affecting Connecticut residents. The current law was repealed and replaced wholesale with the new law, which was neatly tucked away in a Special Session bill implementing the state’s budget for the fiscal year. (Note: The language regarding breach notification starts on page 162 of the 468 page bill.)

The new law demonstrates an effort to increase the Attorney General’s visibility into breach events, and will make it easier for the Attorney General to enforce the consumer notice requirements. Businesses should notify the Attorney General of a security breach using a new email address, ag.​breach@​ct.​gov, no later than when consumers are notified of the breach.

Businesses that operate in Connecticut or collect or store personal information from Connecticut residents should take note of the new law, and ensure that notice is provided to the Office of the Attorney General in a timely manner . Connecticut is one of 16 states that requires notice to a state agency in the event of a security breach. A chart that sets out these state requirements is available here.