Statement from AG Jepsen on Final Passage of Data Breach
Notification and Consumer Protection Legislation
Attorney General George Jepsen today issued the following statement on the House of Representative's final passage of Senate Bill 949, An Act Improving Data Security and Agency Effectiveness, which includes several changes to the state's data breach notification law and requires at least one year of identity theft protection for victims of data breaches involving Social Security numbers:
"I welcome the General Assembly's attention to this important issue. The number of reported data breaches has skyrocketed since the legislature amended the breach notification law in 2012 to require companies to provide notification to my office, and the unfortunate reality is that, as hackers become more and more sophisticated, it's likely that consumers will continue to be impacted by breaches for the foreseeable future. The legislation passed by the Senate and the House this year will provide clarity on the minimum requirements under Connecticut law for businesses that experience data breaches affecting consumers' personal information.
"The bill calls for notification no later than 90 days from the discovery of the breach, unless an exception applies. There may be circumstances under which it is unreasonable to delay notification for 90 days. The bill sets an outside limit for notification, but does not in any way diminish my discretion to seek relief against companies who unduly delay notifying those whose data has been compromised or my office. We intend to continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification – even if notification is provided less than 90 days after discovery of the breach.
"The bill also calls for companies who experience breaches to provide no less than one year of identity theft prevention services. This requirement sets a floor for the duration of the protection and does not state explicitly what features the free protection must include. I continue to have enforcement authority to seek more than one year's protection – and to seek broader kinds of protection – where circumstances warrant. Indeed, in matters involving breaches of highly sensitive information, like Social Security numbers, my practice has been to demand two years' of protections. I intend to continue to that practice.
"My office will continue to aggressively investigate these breaches and, where appropriate, take action when we feel that notification has not been reasonable or protections offered to consumers are not adequate."
Jaclyn M. Falkowski