Global Data Privacy Guide |
|
USA, Connecticut |
|
(United States)
Firm
Harris Beach Murtha
Contributors Updated 17 Jun 2022 |
|
What is the key legislation? |
|
What data is protected? |
|
Who is subject to privacy obligations? |
|
What are the principles applicable to personal data processing? |
|
How is the processing of personal data regulated? |
|
How are storage, security and retention of personal data regulated? |
|
What are the data subjects' rights? | Connecticut law generally does not provide the right to access or correct personal data held by private companies. The preceding sentence notwithstanding, Connecticut law does grant medical patients the right to access their health records and further provides limited exceptions for a provider to withhold information from the health record if a provider determines that the information would be detrimental to the physical or mental health of the patient or is likely to cause the patient to harm himself/herself or another individual (Conn. Gen. Stat. § 20-7c). Connecticut law further allows individuals to request personal information from insurance institutions, agents and insurance support organizations and establishes a procedure through which a person may correct, amend or delete such information (Conn. Gen. Stat. § 38a-983-984). |
Are there restrictions on cross-border data transfers? | N/A |
Are there any notification requirements for data breaches? | Yes, the following are required:
|
Who is the privacy regulator? | The Office of the Attorney General, Privacy and Data Security Department regulates privacy in Connecticut. |
What are the consequences of a privacy breach? | Generally, the Attorney General may assess penalties under both federal (e.g., HIPAA, COPPA, etc.) and state law. From a state law standpoint, this includes the Connecticut Unfair Trade Practices Act ("CUTPA") (Conn. Gen. Stat. § 42-110b et. seq.), the Data Breach Law (Conn. Gen. Stat. § 36a-701b), the Safeguarding Personal Information Law (Conn. Gen. Stat. § 42-471), and the Social Security Law (§ 42-470). The Connecticut Labor Commissioner has authority to investigate employer violations, enforce Conn. Gen. Stat § 31-40x and impose civil penalties. |
How is electronic marketing regulated? | There are no specific requirements at this time with respect to electronic marketing. However, new regulations will be implemented on July 1, 2023, when the Connecticut Data Privacy Act becomes effective. |
Are there any recent developments or expected reforms? | In July 2021, Connecticut enacted a cybersecurity breach safe harbor (Public Act No. 21-119), which became effective on October 1, 2021. Under the act, state courts are prohibited from assessing punitive damages in a data breach litigation where the defendant “created, maintained, and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry-recognized cybersecurity framework.” The cybersecurity program must also be designed to protect: (i) the confidentiality and security of personal and restricted information; (ii) against threats or hazards to the security or integrity of such information; and (iii) against unauthorized access to and acquisition of information that would result in a material risk of identity theft or other fraud to the individual. An acceptable cybersecurity program may also be measured by various factors, including the covered entity’s (i) size and complexity; (ii) the nature and scope of its activities; (iii) the sensitivity of the information to be protected; and (iv) the cost and availability of tools to improve information security and reduce risks. This act applies to “covered entities”, defined as any business that “accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside [the] state.” On May 10, 2022, Connecticut Governor Ned Lamont signed the Connecticut Data Privacy Act (“DPA”) into law, which makes Connecticut the fifth state to enact comprehensive legislation with respect to consumer privacy. The DPA becomes effective on July 1, 2023, and applies to businesses that: (a) transact business in Connecticut or otherwise utilize products or services targeted to Connecticut residents; and (b) either (i) control or process the personal data of at least 100,000 Connecticut residents on an annual basis; or (ii) derive over 25% of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Connecticut residents on an annual basis. Certain entities are exempt from the DPA including state and local governments, tax-exempt organizations, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act, and “covered entities” and “business associates” as defined by HIPAA. The DPA will require opt-in consent for the collection and processing of a consumer’s “sensitive” information, such as information revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and precise geolocation data. The DPA also provides consumers with rights of notice, access, portability, correction and deletion, provided, however, that businesses are afforded certain exemptions in this regard (e.g., to combat fraud). The DPA will also allow consumers to opt out of using their information for certain purposes, such as the sale of personal data and targeted advertising (and similarly require opt-in consent from minors). The DPA will be enforced through the Office of Connecticut’s Attorney General. |
Global Data Privacy Guide
- Conn. Gen. Stat. §§ 36a-701b (Data Breach Law); 42-470 (Social Security Number Law), and 42-471 (Personal Information Safeguarding Law) are the key statutes.
- Conn. Gen. Stat. §§ 62a-4e-70-71 (State Contractors Law) and 38a-975-999a (Insurance Information and Privacy Protection Act) provide specific rules for state contractors and insurance institutions, agents and related organizations, respectively.
- Conn. Gen. Stat. § 19a-550 provides a patient’s bill of rights with respect to certain medical records.
- Conn. Gen. Stat. §§ 36a-40-45 (Banking Law) governs a financial institution’s requirements with respect to customer financial records.
- Conn. Gen. Stat § 31-40x establishes certain employer restrictions with respect to employees’ personal information.
-
Under the Data Breach Law (Conn. Gen. Stat. § 36a-701b), electronic “Personal Information” is protected. “Personal Information” is defined as an individual's first name or first initial and last name in combination with any one, or more, of the following data (i) Social Security number; (ii) driver's license number or state identification card number; (iii) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account; (iv) individual taxpayer identification number or identity protection personal identification number issued by the IRS; (v) passport number, military identification number or other identification number used by the government to verify an individual’s identity; (vi) medical information regarding an individual’s medical history, including their mental or physical condition, treatment or diagnoses; (vii) health insurance policy information, including policy number, subscriber identification number and any other unique identifiers issued by the insurer; (viii) biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain an individual’s identity, such as fingerprints, voiceprints, and retina or iris images; or (ix) usernames or email addresses combined with a password or security question and answer that would permit access to an online account. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
-
Under the Personal Information Safeguarding Law (Conn. Gen. Stat. § 42-471), paper or electronic “Personal Information” is protected. “Personal Information” under this statute is defined slightly differently than in the data breach law. “Personal Information” is defined as: “information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number, a health insurance identification number or any military identification information, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.”
-
Social Security numbers are protected by the Social Security Number Law (Conn. Gen. Stat. § 42-470).
-
Under the Insurance Information and Privacy Protection Act, personal information (including medical records) and privileged information collected or received in connection with an insurance transaction is generally protected unless a specific exception is met. For purposes hereof, “Personal Information” means “any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health or any other personal characteristics.” Similarly, “Privileged Information” means “any individually identifiable information that: (A) relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual; and (B) is collected in connection with or in reasonable anticipation of a claim for insurance benefits or a civil or criminal proceeding involving an individual.” (Conn. Gen. Stat. §§ 38a-988).
-
Under Conn. Gen. Stat. §19a-550, medical records of patients of a nursing home, residential care home or chronic disease hospital must be treated confidentially and establishes circumstances under which such records may be released to third parties.
-
Under the Banking Law, all Financial Institutions (as defined therein) must keep their customers’ Financial Records confidential unless a certain exception is met. A Financial Record is defined as any original or any copy, whether physically or electronically retained, of: (i) a document providing signature authority over a deposit account or a share account with a financial institution; (ii) a statement, ledger card, or other record on any deposit account or share account with a financial institution showing each transaction in or with respect to that account; (iii) any check, draft, or money order drawn on a financial institution or issued and payable by such an institution; or (iv) any item, other than an institutional or periodic charge, made pursuant to any agreement by a financial institution and a customer which constitutes a debit or credit to that person's account with that financial institution, if the information does not consist of a check, draft or money order payable by the financial institutions. Furthermore, all Financial Institutions are required to comply with the Gramm-Leach-Bliley Act of 1999 pertaining to the privacy and protection of customer non-public information.
-
With limited exceptions, under Conn. Gen. Stat § 31-40x, an employer may not: (i) request or require that an applicant or employee give an employer his or her username and password, password, or any other means of authentication to access a personal online account; (ii) request or require that an applicant or employee access or authenticate a personal online account in the employer’s presence; or (iii) require an applicant or employee to invite the employer or accept an invitation from the employer to join a group affiliated with any of the applicant’s or employee’s personal online accounts. Furthermore, an employer may not retaliate against an applicant or employee because he or she refuses any of the above prohibited requests, or because he or she files (or causes to be filed) any complaint with a court concerning the employer’s violation of this statute.
- Under the Data Breach Law, any person who owns, licenses or maintains computerized data that includes personal information must comply with the obligations in the statute. However, persons subject to and in compliance with the privacy and security standards of Health Insurance Portability and Accountability Act ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") may be exempt from particular provisions.
- Under the Personal Information Safeguarding Law, any person who possesses “personal information” (as defined therein) must safeguard any data, computer files and documents containing such personal information from being misused by third parties. The person in possession of the personal information is required to destroy, erase or make any data unreadable prior to disposing of data, computer files and documents. Furthermore, any person who collects social security numbers in the course of business is also subject to this law.
- Under the Insurance Information and Privacy Protection Act, an insurance institution, agent or insurance support organization that regularly collects, uses or discloses medical record information, must develop and implement written policies, standards and procedures for the management, transfer and security of medical record information, including policies, standards and procedures to guard against the unauthorized collection, use or disclosure of medical record information by such insurance institution, agent or support organization (or any employee or agent thereof).
- State Contractors Law, persons with state contracts are required to maintain a comprehensive data security program.
- Health care providers, specifically nursing homes, residential care homes and chronic disease hospitals, are subject to Conn. Gen. Stat. §19a-550 with respect to retention and release of patient medical records.
- Under the Banking Law, a “Financial Institution” is defined as “a bank, Connecticut credit union, federal credit union, an out-of-state bank that maintains a branch in Connecticut and an out-of-state credit union that maintains an office in Connecticut.”
- Employers operating in Connecticut are subject to Conn. Gen. Stat § 31-40x.
- The Personal Information Safeguarding Law requires those who possess personal information to safeguard it from misuse by third parties and destroy, erase or make unreadable the information prior to disposal. Under the State Contractors Law, information must be maintained in accordance with a comprehensive data security program.
- Requirements with respect to the collection, processing, storing and disseminating of personal information will change as of July 1, 2023, when the Connecticut Data Privacy Act becomes effective.
- Social Security numbers may not be publicly posted or displayed, printed on any card required for the individual to access products or services, required to be transmitted over the Internet without a secure connection, or required to access a website unless a password or unique authentication mechanism is also required.
- Requirements with respect to the collection, processing, storing and disseminating of personal information will change as of July 1, 2023, when the Connecticut Data Privacy Act becomes effective.
- The Office of the Attorney General, Privacy and Data Security Department enforces Connecticut state laws governing notification of data breaches, safeguarding of personal information and protection of social security numbers and other sensitive information. This department is also responsible for the enforcement of federal laws under which the state Attorney General has enforcement authority, including HIPAA, the Children’s Online Privacy Protection Act of 1998 (“COPPA”) and the Fair Credit Reporting Act of 1970 (“FCRA”). This department may investigate data breaches and bring claims under the Connecticut Unfair Trade Practices Act (“CUTPA”) or otherwise seek settlements with offending parties. There are separate penalties for violations of the Social Security Number Law and the Personal Information Safeguarding Law.
- The Connecticut Labor Commissioner has authority to investigate employer violations, enforce Conn. Gen. Stat § 31-40x and impose civil penalties.
- Requirements with respect to the collection, processing, storing and disseminating of personal information will change as of July 1, 2023, when the Connecticut Data Privacy Act becomes effective.
Connecticut law generally does not provide the right to access or correct personal data held by private companies. The preceding sentence notwithstanding, Connecticut law does grant medical patients the right to access their health records and further provides limited exceptions for a provider to withhold information from the health record if a provider determines that the information would be detrimental to the physical or mental health of the patient or is likely to cause the patient to harm himself/herself or another individual (Conn. Gen. Stat. § 20-7c).
Connecticut law further allows individuals to request personal information from insurance institutions, agents and insurance support organizations and establishes a procedure through which a person may correct, amend or delete such information (Conn. Gen. Stat. § 38a-983-984).
N/A
Yes, the following are required:
- Notification to the affected Connecticut resident and the Connecticut Attorney General, made without unreasonable delay but not later than 60 days after discovery (unless a shorter federal timeframe applies); and
- Not less than 24 months of credit monitoring if the breach involved Social Security numbers or taxpayer identification numbers.
The Office of the Attorney General, Privacy and Data Security Department regulates privacy in Connecticut.
Generally, the Attorney General may assess penalties under both federal (e.g., HIPAA, COPPA, etc.) and state law. From a state law standpoint, this includes the Connecticut Unfair Trade Practices Act ("CUTPA") (Conn. Gen. Stat. § 42-110b et. seq.), the Data Breach Law (Conn. Gen. Stat. § 36a-701b), the Safeguarding Personal Information Law (Conn. Gen. Stat. § 42-471), and the Social Security Law (§ 42-470).
The Connecticut Labor Commissioner has authority to investigate employer violations, enforce Conn. Gen. Stat § 31-40x and impose civil penalties.
There are no specific requirements at this time with respect to electronic marketing. However, new regulations will be implemented on July 1, 2023, when the Connecticut Data Privacy Act becomes effective.
In July 2021, Connecticut enacted a cybersecurity breach safe harbor (Public Act No. 21-119), which became effective on October 1, 2021. Under the act, state courts are prohibited from assessing punitive damages in a data breach litigation where the defendant “created, maintained, and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry-recognized cybersecurity framework.” The cybersecurity program must also be designed to protect: (i) the confidentiality and security of personal and restricted information; (ii) against threats or hazards to the security or integrity of such information; and (iii) against unauthorized access to and acquisition of information that would result in a material risk of identity theft or other fraud to the individual. An acceptable cybersecurity program may also be measured by various factors, including the covered entity’s (i) size and complexity; (ii) the nature and scope of its activities; (iii) the sensitivity of the information to be protected; and (iv) the cost and availability of tools to improve information security and reduce risks. This act applies to “covered entities”, defined as any business that “accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside [the] state.”
On May 10, 2022, Connecticut Governor Ned Lamont signed the Connecticut Data Privacy Act (“DPA”) into law, which makes Connecticut the fifth state to enact comprehensive legislation with respect to consumer privacy. The DPA becomes effective on July 1, 2023, and applies to businesses that: (a) transact business in Connecticut or otherwise utilize products or services targeted to Connecticut residents; and (b) either (i) control or process the personal data of at least 100,000 Connecticut residents on an annual basis; or (ii) derive over 25% of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Connecticut residents on an annual basis. Certain entities are exempt from the DPA including state and local governments, tax-exempt organizations, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act, and “covered entities” and “business associates” as defined by HIPAA. The DPA will require opt-in consent for the collection and processing of a consumer’s “sensitive” information, such as information revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and precise geolocation data. The DPA also provides consumers with rights of notice, access, portability, correction and deletion, provided, however, that businesses are afforded certain exemptions in this regard (e.g., to combat fraud). The DPA will also allow consumers to opt out of using their information for certain purposes, such as the sale of personal data and targeted advertising (and similarly require opt-in consent from minors). The DPA will be enforced through the Office of Connecticut’s Attorney General.