The Act concerning Data Privacy Breaches was signed on 16 June 2021, by the Connecticut State Governor and entered into effect, on 1 October 2021.
Key Highlights of the Act
- Scope of Definition of personal information has been broadened to include additional categories of sensitive information. The definition includes:
“personal information” means an individual’s
A. first name or first initial and last name in combination with any one, or more, of the following data:
(i) Social Security number;
(ii) taxpayer identification number;
(iii) identity protection personal identification number issued by the Internal Revenue Service; (iv) driver’s license number, [or] state identification card number;
(iv) passport number, military identification number or other identification number issued by the government that is commonly used to verify identity;
(v) credit or debit card number;
(vi) financial account number in combination with any required security code, access code or password that would permit access to such financial account;
(vii) medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
(viii) health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual; or
(ix) biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; or
B. user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
- Shortened the time period to notify consumers and the Attorney General (‘AG’) of a security breach from 90 to 60 days; and
- Providing confidentiality for material obtained by the AG through Civil Investigative Demands.