Starting October 1, businesses that collect and store personal information about Connecticut residents will be required to report any data security breaches to the Attorney General’s office in addition to individuals impacted by the breach.
“Existing state law directs my office to enforce requirements that companies notify state residents whose personal information may be compromised by a data breach,” said Attorney General George Jepsen in a press release, “However, the law made no requirement that my office be notified, making enforcement difficult. That will change beginning October 1, and I want to ensure that the process for a business owner to report a data breach is as easy as possible.”
Those in violation of the notification requirements could be subject to enforcement action by the Attorney General’s office under the Connecticut Unfair Trade Practices Act. The law taking effect on October 1 will also give the Attorney General enforcement power over those companies who do not notify his office as well. Businesses are required to notify the Attorney General at the same time they notify residents.
To make the process easier, the Attorney General’s office established a new email address, ag.breach@ct.gov, for companies to use if they detect a data breach. The email account will be monitored by the Privacy Task Force established by Jepsen last year.