Enter to open, tab to navigate, enter to select
Connecticut and Rhode Island Amend Data Security and Breach Laws
Practical Law Legal Update 5-617-1192 (Approx. 4 pages)
Connecticut and Rhode Island Amend Data Security and Breach Laws
by Practical Law Intellectual Property & Technology
| Published on 06 Jul 2015 • Connecticut, Rhode Island |
Connecticut and Rhode Island have amended their data security and breach notification laws.
Connecticut and Rhode Island have amended their data security and breach notification laws.
On June 30, 2015, Connecticut Governor Dannel Malloy signed Public Act No. 15-142 into law. Among other things, the amendments provide that:
- Effective October 1, 2015, all businesses must:
- notify persons whose personal information was compromised by a data breach within 90 days of discovery of the breach unless federal law requires sooner notification; and
- when a data breach compromises names and Social Security numbers, provide the affected persons with identity-theft prevention services covering a period of at least 12 months at no cost as well as information on how to place a security freeze on their credit files.
- Effective October 1, 2015, health insurers and other relevant health care-related entities must:
- implement and maintain a comprehensive information security program to protect personal information of insureds and enrollees;
- annually update their security programs;
- certify compliance annually to the Insurance Department; and
- comply with the general data breach notification requirements.
In addition, the amendments include new obligations for state contractors and state agencies, which are effective July 1, 2015.
On June 26, 2015, Rhode Island Governor Gina Raimondo signed S.B. S0134 into law. The bill repeals the state's current breach notification and identity theft law and enacts the Identity Theft Protection Act of 2015, effective June 26, 2016. The new Act provides for robust data security requirements, including that agencies and businesses that collect and handle a Rhode Island resident's personal information must:
- Create a risk-based information security program to prevent the unauthorized use or access of the information.
- Not retain personal information longer than necessary for the purpose for which it was collected or must develop a written document retention policy.
- When sharing personal information with third parties, have a written contract ensuring that the third parties have security procedures in place to protect the information before sharing.
The Act also substantially changes the state's data breach notice requirements. Among other changes, under the new law:
- The definition of personal information is expanded to include paper records and to add the following data elements:
- tribal identification number;
- medical or health insurance information; and
- e-mail address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance or financial account.
- Covered entities must notify affected individuals no later than 45 days after confirming the breach.
- If a data breach affects more than 500 individuals, covered entities must notify the attorney general and credit reporting agencies.
In addition, under the new law, the notification to individuals must include the following information to the extent known:
- A general and brief description of the incident, including how the security breach occurred and the number of affected individuals.
- The type of information that was subject to the breach.
- The date, estimated date or date range within which the breach occurred.
- The date the breach was discovered.
- A clear and concise description of:
- any remediation services offered to affected individuals, including toll-free numbers and websites to contact the credit reporting agencies, remediation service providers and the attorney general; and
- the consumer's ability to file or obtain a police report, how a consumer may request a security freeze, the necessary information to be provided when requesting the security freeze and that fees may be required to be paid to the consumer reporting agencies.