On April 28, the Connecticut House passed Senate Bill 6, an act concerning personal data privacy and online monitoring (SB 6 or Connecticut Act). The Senate unanimously passed SB 6 on April 20, and is now currently under consideration by Governor Ned Lamont. If the bill becomes law, it will go into effect on July 1, 2023, making Connecticut the fifth state to enact a comprehensive data privacy law.

Who Must Comply?

The Connecticut Act would apply primarily to “controllers” and “processors.”

SB 6 defines a “controller” as any “individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.” Under the Connecticut Act, a “processor” means an individual who, or legal entity that, processes personal data on behalf of a controller.

SB 6 would apply to individuals or entities that (1) conduct business in Connecticut and (2) control or process personal data during the preceding year of at least either:

  • 100,000 consumers, excluding personal data controlled or processed solely for completing a payment transaction, or
  • 25,000 consumers who derived more than 25% of their gross revenue from selling personal data.

What Is Protected?

The Connecticut Act protects “personal data” and “sensitive data.”

“Personal data” means any information linked or reasonably linked to an identified or identifiable individual. The definition does not include de-identified data or publicly available information.

“Sensitive data” means personal data that includes (1) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying any individual; (3) personal data collected from a known child; or (4) precise geolocation data.

Exempted Data

Various information is exempted under the Connecticut Act, including, information collected under the Health Information Portability and Accountability Act (HIPAA), information bearing on a consumer’s credit worthiness to the extent such activity is regulated by and authorized under the Fair Credit Reporting Act (FCRA), and financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA).

Information controlled or processed solely for the purpose of completing a payment transaction is exempted, which is an exemption that differs from other state laws.

Key Definitions

“Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. It does not include (1) disclosure of personal data to a processor that processes the personal data on behalf of the controller; (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; (3) the disclosure or transfer of personal data to an affiliate of the controller; (4) the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party; (5) the disclosure of personal data that the consumer (a) intentionally made available to the general public via a channel of mass media and (b) did not restrict to a specific audience; or (6) the disclosure or transfer of personal data to a third party as an asset that is part of a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

“Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated internet web services or online applications to predict such consumer’s preferences or interests. It does not include (1) advertisements based on activities within a controller’s own internet websites or online applications; (2) advertisements based on the context of a consumer’s current search query, visit to an internet website, or online application; (c) advertisement based on a consumer’s request for information or feedback; or (d) processing personal data solely to measure or report advertising frequency, performance, or reach.

What Rights Are Granted to Consumers?

The Connecticut Act grants consumers a number of rights, including, among others: (1) the right to confirm whether or not a controller is processing the consumer’s personal data and the right to access their personal data; (2) the right to correct inaccuracies in the consumer’s personal data; (3) the right to delete the personal data; (4) the right to obtain a copy of the consumer’s personal data that is portable and easily transferrable; and (5) the right to opt out of the process of personal data for (a) targeted advertising, (b) the sale of personal data, or (c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

What Obligations Apply to Controllers?

  • Data Minimization. A controller shall “limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed.”
  • Duty to Avoid Secondary Use. A controller shall “not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”
  • Security Practices. A controller shall “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”
  • Consent. A controller shall “not process sensitive data concerning a consumer without first obtaining the consumer’s consent, or in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA.” A controller also must provide an effective mechanism for a consumer to revoke consent.
  • Discrimination. A controller must “not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers.” A controller also shall not discriminate against a consumer for exercising any of his/her rights under the Connecticut Act.
  • Data Protection Assessments. A controller shall “conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer,” which includes any processing of personal data for the purposes of targeted advertising, the sale of personal information, or profiling.
  • Privacy Notices. A controller shall “provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (1) The categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (4) the categories of personal data that the controller shares with third parties, if any; (5) the categories of third parties, if any, with which the controller shares personal data; and (6) an active electronic mail address that the consumer may use to contact the controller.”

What Obligations Apply to Processors?

  • Data Processing Agreements. A processor must be governed by a contract that must “set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.”
  • Data Subject Request. A processor have processes “taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as is reasonably practicable, to fulfill the controller’s obligation to respond to consumer rights requests.”
  • Duty of Care. A processor shall assist “the controller in meeting the controller’s obligation in relation to the security of processing the personal data and in relation to the notification of a breach of security.”
  • Data Protection Assessments. A processor shall provide the necessary information to “enable the controller to conduct and document data protection assessments.”
  • Confidentiality. A processor must ensure “that each person processing personal data is subject to a duty of confidentiality with respect to the data.”
  • Subcontractors. A processor must “engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.”

Who Can Enforce the Connecticut Act?

The Connecticut Act does not create a private right of action. The Connecticut attorney general shall have exclusive authority to enforce violations of the Connecticut Act. Prior to any such enforcement action, the attorney general shall provide a 60-day notice to allow the business the opportunity to cure any alleged violations. This notice to cure provision will sunset on December 31, 2024.

What’s Next?

If signed by the governor (which is expected to occur), SB 6 will become law. If the governor vetoes the bill, it will be returned to the Senate to be reconsidered. If the governor fails to act within five days during legislative session or 15 days after adjournment from the day it was presented, it will become law automatically. If it becomes law, Connecticut will be the fifth state to adopt a comprehensive privacy law following California, Virginia, Colorado, and Utah.

In a recent opinion, the District of Connecticut dismissed cross-motions for summary judgment filed by a debtor and a debt collector for claims arising under the Fair Debt Collection Practices Act.  The case is Garcia v. Law Offices of Howard Lee Schiff, P.C., No. 3:16-cv-791 (D. Conn. Dec. 14, 2018).  This case arises from a debt collection letter mailed from the Law Offices of Howard Lee Schiff, P.C. (the “Schiff firm”), to Luis Garcia in an attempt to collect a deficient bank account balance.  The letter indicated that Garcia owed a “charge-off balance” of $663.94 and a “current balance” of $565.46.  It listed as $0.00 the post charge-off interest accrued, post charge-off fees accrued, and post charge-off payments and credits. 

After receiving the letter, Garcia filed suit in the District of Connecticut alleging various violations of the FDCPA.  The Court dismissed all but two of Garcia’s claims against the Schiff firm.  Thereafter, the parties engaged in discovery and filed cross-motions for summary judgment.  In evaluating the parties’ summary judgment motions, the Court confined its analysis to Garcia’s only remaining FDCPA claim, which arose under 15 U.S.C. § 1692e.  This section of the FDCPA prohibits debt collectors from using “any false, deceptive, or misleading representation or means in connection with the collection of any debt.” 

The Court first examined whether the balances stated in the letter constituted a violation of § 1692e, which requires that a false, deceptive, or misleading representation be open to more than one reasonable interpretation (one of which is inaccurate), be material, and could be interpreted as such by the least sophisticated consumer.  The Court held that a jury could find the letter to be violative of the FDCPA.  In so holding, the Court noted that the least sophisticated consumer could be confused by the difference between the charge-off and current balance stated in the letter.  It further noted that, although the monetary difference between the two amounts may not appear substantial, a jury could find it to be material because “a reasonable debtor might choose to satisfy other debts or delay repayment . . . based on this difference.”  

The Court then examined whether, despite the above genuine issue of material fact, the debt collector had demonstrated that any violation of the FDCPA was caused by a bona fide error, which required the debt collector to demonstrate that (1) there was an unintentional clerical or factual error, (2) the debt collector’s actions were objectively reasonable, and (3) the debt collector’s procedures constitute reasonable precautions against error.   

In evaluating the debt collector’s bona fide error claim, the Court found that the first prong was met based on an affidavit from the Schiff firm’s managing partner indicating that the programmer who programmed the letter to automatically fill in the balances “forgot to include payments which may have been made by the consumer” after the charge-off date.  However, the Court found that reasonable jurors could disagree about whether the second and third prongs were met because they could disagree about “what errors constitute unreasonable debt collection practices,” the managing partner’s credibility, and whether the Schiff firm’s safeguards “were reasonable precautions against the mailing of letters with different and unexplained charge-off and current balance amounts.”  For these reasons, the Court denied both motions for summary judgment and allowed Garcia’s FDCPA claim to proceed to the jury.   

Troutman Sanders will continue to monitor and report on developments in this area of the law.

 

In a memorandum dated June 30, the Connecticut Department of Banking stated that it will take no action against licensed consumer collection agencies who collect student loan debt if the licensed consumer collection agencies do not have a license to service student loans.  The Department stated that consumer collection agencies who collect student loan debt must continue to abide by “all other requirements and standards imposed on student loan servicers.” 

On June 1, Connecticut Governor Dan Mallory signed the Fair Chance Employment Act (CT HB 5237) into law.  The statute, like other “ban the box” laws nationwide, prohibits covered employers from asking about an applicant’s criminal history on an initial employment application. 

Under the Act, “employers” are broadly defined to mean “any person engaged in business who has one or more employees, including the state or any political subdivision of the state.”

There are two exceptions to the Act – for when a criminal history inquiry is required by state or federal law, and for when a security or fidelity bond is required for the position.  After the initial interview stage, employers remain free to inquire about criminal history.  Notably, the law does not provide applicants with a private right of action against an employer, and complaints must be directed to the Connecticut Labor Commissioner’s Office.

The new law will become effective on January 1, 2017.  Connecticut is now the ninth state to enact “ban the box” legislation that extends to the private sector.  Many other municipalities, including New York City, have enacted similar legislation. 

Troutman Sanders has extensive experience in counseling companies on background screening compliance, including in “ban the box” jurisdictions.

 

On June 1, the Connecticut legislature passed a bill that would require businesses exposed to a data breach to notify victims within 90 days of the breach.  The bill would also require businesses to provide victims with one year of identity-theft protection if their Social Security number is compromised.  Senate Bill 949, An Act Improving Data Security and Agency Effectiveness, is expected to be signed by Governor Daniel Malloy.

Current law requires a business or person to notify customers “without unreasonable delay.”  There is currently no requirement in current law regarding how long a business should provide identity-theft protection.

Attorney General George Jepsen, who is charged with investigating data breaches, applauded the General Assembly’s action.  In a press release, Jepsen stated, “The legislation passed by the Senate and the House this year will provide clarity on the minimum requirements under Connecticut law for businesses that experience data breaches affecting consumers’ personal information.”

Jepsen said the new law’s requirement for at least one year of identity-theft protection “sets a floor for the duration of the protection and does not state explicitly what features the free protection must include.”

“I continue to have enforcement authority to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant,” Jepsen noted. “Indeed, in matters involving breaches of highly sensitive information, like Social Security numbers, my practice has been to demand two years of protections.  I intend to continue that practice.”

Jepsen added that the 90-day requirement for businesses to notify customers after a breach doesn’t limit his discretion to seek relief from companies who “unduly delay notifying those whose data has been compromised or my office.”

This past March, Jepsen announced the creation of the Privacy and Data Security Department, an office within the Connecticut Office of the Attorney General.  The Department is charged with working exclusively on investigations and litigation related to privacy and data security.

You can follow the Consumer Financial Services Law Monitor for continued updates on this and other news stories.

The International Association of Privacy Professionals recently conducted  an interview with Connecticut Attorney General George Jepsen. General Jespen has been considered a leader among the State Attorneys General in the area of privacy, and Connecticut is considered one of the most active states in privacy policy and legal enforcement actions related to privacy issues.  In 2011, Connecticut was among the first states to create a special privacy unit within its attorney general’s office.  Within the last two years, General Jepsen has advocated for an amendment to Connecticut’s breach notification law that required notice of breaches to be made directly to his office, and his office has lead several major multistate investigations related to privacy.

During his interview with the IAPP, General Jepsen explained that the current area of focus for his Office’s Privacy Task Force has been “one, to proactively promote the protection of personal data and information and two, to investigate any breaches of that information in violation of federal and state laws that require protection of that data or other violations of privacy.”

General Jepson also expounded upon the multistate investigation process related to privacy issues, explaining that his office maintains very good working relationships with other state attorney general offices,  resulting in a more efficient and effective investigation. When working with state attorneys general, General Jepsen advised businesses that they should be “as honest and open as possible.”  He explained that when he writes to a business, “you can rest assured they are sincere concerns. In those instances, I really am interested in learning either why I should not be concerned or what we can do to address concerns that prove to be well-founded.”

Finally, in the area of state/federal collaboration, he noted that his “office has a very good working relationship with the FTC, having recently joined with it to file two lawsuits in Connecticut,” and that he is “open to broader federal/state coordination of efforts.”  He concluded by stating that “States and the federal government should be regarded as partners, complementing each others’ resources to advance the shared goal of privacy protection.”

Dear Mary,

One of our employees recently fell victim to a phishing attack, allowing unauthorized access to their email account for a brief period. To be safe, we reset everyone’s passwords and terminated all active sessions. We’re now in the process of hiring a law firm to determine if we need to notify anyone about the incident. It’s taking a little longer to get them engaged, but I’m hoping to have this done soon. In the meantime, is there anything else we should be considering?

– Not Entirely Clueless in Connecticut

Continue Reading Preserving Forensic Artifacts Following Incident Detection

To keep you informed of recent activities, below are several of the most significant federal and state events that have influenced the Consumer Financial Services industry over the past week:

Continue Reading Troutman Pepper Weekly Consumer Financial Services Newsletter

To keep you informed of recent activities, below are several of the most significant federal and state events that have influenced the Consumer Financial Services industry over the past week:

Continue Reading Troutman Pepper Weekly Consumer Financial Services Newsletter

To keep you informed of recent activities, below are several of the most significant federal and state events that have influenced the Consumer Financial Services industry over the past week:

Federal Activities

State Activities

Continue Reading Troutman Pepper Weekly Consumer Financial Services Newsletter