On June 1, the Connecticut legislature passed a bill that would require businesses exposed to a data breach to notify victims within 90 days of the breach.  The bill would also require businesses to provide victims with one year of identity-theft protection if their Social Security number is compromised.  Senate Bill 949, An Act Improving Data Security and Agency Effectiveness, is expected to be signed by Governor Daniel Malloy.

Current law requires a business or person to notify customers “without unreasonable delay.”  There is currently no requirement in current law regarding how long a business should provide identity-theft protection.

Attorney General George Jepsen, who is charged with investigating data breaches, applauded the General Assembly’s action.  In a press release, Jepsen stated, “The legislation passed by the Senate and the House this year will provide clarity on the minimum requirements under Connecticut law for businesses that experience data breaches affecting consumers’ personal information.”

Jepsen said the new law’s requirement for at least one year of identity-theft protection “sets a floor for the duration of the protection and does not state explicitly what features the free protection must include.”

“I continue to have enforcement authority to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant,” Jepsen noted. “Indeed, in matters involving breaches of highly sensitive information, like Social Security numbers, my practice has been to demand two years of protections.  I intend to continue that practice.”

Jepsen added that the 90-day requirement for businesses to notify customers after a breach doesn’t limit his discretion to seek relief from companies who “unduly delay notifying those whose data has been compromised or my office.”

This past March, Jepsen announced the creation of the Privacy and Data Security Department, an office within the Connecticut Office of the Attorney General.  The Department is charged with working exclusively on investigations and litigation related to privacy and data security.

You can follow the Consumer Financial Services Law Monitor for continued updates on this and other news stories.