(a) For purposes of this section, (1) “breach of security” means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable; and (2) “personal information” means an individual's (A) first name or first initial and last name in combination with any one, or more, of the following data: (i) Social Security number; (ii) taxpayer identification number; (iii) identity protection personal identification number issued by the Internal Revenue Service; (iv) driver's license number, state identification card number, passport number, military identification number or other identification number issued by the government that is commonly used to verify identity; (v) credit or debit card number; (vi) financial account number in combination with any required security code, access code or password that would permit access to such financial account; (vii) medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (viii) health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual; or (ix) biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina or iris image; or (B) user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
(b) (1) Any person who owns, licenses or maintains computerized data that includes personal information, shall provide notice of any breach of security following the discovery of the breach to any resident of this state whose personal information was breached or is reasonably believed to have been breached. Such notice shall be made without unreasonable delay but not later than sixty days after the discovery of such breach, unless a shorter time is required under federal law, subject to the provisions of subsection (d) of this section. If the person identifies additional residents of this state whose personal information was breached or reasonably believed to have been breached following sixty days after the discovery of such breach, the person shall proceed in good faith to notify such additional residents as expediently as possible. Such notification shall not be required if, after an appropriate investigation the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired or accessed.
(2) If notice of a breach of security is required by subdivision (1) of this subsection:
(A) The person who owns, licenses or maintains computerized data that includes personal information, shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General; and
(B) The person who owns or licenses computerized data that includes personal information, shall offer to each resident whose personal information under clause (i) or (ii) of subparagraph (A) of subdivision (2) of subsection (a) of this section was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than twenty-four months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident's credit file.
(c) Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information of a resident of this state was breached or is reasonably believed to have been breached.
(d) Any notification required by this section shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination.
(e) Any notice to a resident, owner or licensee required by the provisions of this section may be provided by one of the following methods, subject to the provisions of subsection (f) of this section: (1) Written notice; (2) telephone notice; (3) electronic notice, provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USC 7001; (4) substitute notice, provided such person demonstrates that the cost of providing notice in accordance with subdivision (1), (2) or (3) of this subsection would exceed two hundred fifty thousand dollars, that the affected class of subject persons to be notified exceeds five hundred thousand persons or that the person does not have sufficient contact information. Substitute notice shall consist of the following: (A) Electronic mail notice when the person has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the web site of the person if the person maintains one; and (C) notification to major state-wide media, including newspapers, radio and television.
(f) (1) In the event of a breach of login credentials under subparagraph (B) of subdivision (2) of subsection (a) of this section, notice to a resident may be provided in electronic or other form that directs the resident whose personal information was breached or is reasonably believed to have been breached to promptly change any password or security question and answer, as applicable, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same user name or electronic mail address and password or security question and answer.
(2) Any person that furnishes an electronic mail account shall not comply with this section by providing notification to the electronic mail account that was breached or reasonably believed to have been breached if the person cannot reasonably verify the affected resident's receipt of such notification. In such an event, the person shall provide notice by another method described in this section or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet protocol address or online location from which the person knows the resident customarily accesses the account.
(g) Any person that maintains such person's own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies, as applicable, residents of this state, owners and licensees in accordance with such person's policies in the event of a breach of security and in the case of notice to a resident, such person also notifies the Attorney General not later than the time when notice is provided to the resident. Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in compliance with the security breach notification requirements of this section, provided (1) such person notifies, as applicable, such residents of this state, owners, and licensees required to be notified under and in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security, and (2) if notice is given to a resident of this state in accordance with subdivision (1) of this subsection regarding a breach of security, such person also notifies the Attorney General not later than the time when notice is provided to the resident.
(h) Any person that is subject to and in compliance with the privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) shall be deemed to be in compliance with this section, provided that (1) any person required to provide notification to Connecticut residents pursuant to HITECH shall also provide notice to the Attorney General not later than the time when notice is provided to such residents if notification to the Attorney General would otherwise be required under subparagraph (A) of subdivision (2) of subsection (b) of this section, and (2) the person otherwise complies with the requirements of subparagraph (B) of subdivision (2) of subsection (b) of this section.
(i) All documents, materials and information provided in response to an investigative demand issued pursuant to subsection (c) of section 42-110d in connection with the investigation of a breach of security as defined by this section shall be exempt from public disclosure under subsection (a) of section 1-210, provided the Attorney General may make such documents, materials or information available to third parties in furtherance of such investigation.
(j) Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General.
(P.A. 05-148, S. 3; 05-288, S. 231, 232; June 12 Sp. Sess. P.A. 12-1, S. 130; P.A. 15-142, S. 6; P.A. 18-90, S. 2; P.A. 19-117, S. 231; 19-196, S. 9; P.A. 21-59, S. 1.)
History: P.A. 05-148 effective January 1, 2006; P.A. 05-288 made technical changes in Subsecs. (b) and (f), effective January 1, 2006; June 12 Sp. Sess. P.A. 12-1 amended Subsec. (a) by adding “unauthorized” re acquisition, amended Subsec. (b) by designating existing provisions as Subdiv. (1) and amending same to replace “disclose” with “provide notice of” and “disclosure” with “notice” and by adding Subdiv. (2) re notice of breach of security to Attorney General, amended Subsec. (c) by adding “of a resident of this state” re personal information, amended Subsec. (e) by adding “to a resident, owner or licensee” re notice, replacing “person, business or agency” with “person” and making a technical change, and amended Subsec. (f) by replacing references to subject persons with references to residents of this state, owners and licensees, as applicable, adding provisions re notice to Attorney General and deleting reference to system; P.A. 15-142 made technical changes in Subsec. (a), amended Subsec. (b) to replace “was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security” with “was breached or is reasonably believed to have been breached” and add provision re notice of breach of security not later than 90 days after discovery unless shorter time is required under federal law in Subdiv. (1), to designate existing provision re notice of breach to Attorney General as Subpara. (A) in Subdiv. (2) and amend same to add Subpara. (B) re provision of identity theft prevention services and identity theft mitigation services, and amended Subsec. (c) to replace “was, or is reasonably believed to have been accessed by an unauthorized person” with “was breached or is reasonably believed to have been breached”; P.A. 18-90 amended Subsec. (a)(1) by deleting “account number,” in Subpara. (C), adding Subpara. (D) re financial account number, and making a technical change, and amended Subsec. (b)(2)(B) by replacing “twelve months” with “twenty-four months” re period for which service is to be provided at no cost to resident; P.A. 19-117 amended Subsec. (b)(2)(B) by replacing provision re personal information under Sec. 38a-999b(a)(4)(A) with provision re nonpublic information under Sec. 38a-38(b)(9)(B)(i) and made a conforming change, effective October 1, 2020; P.A. 19-196 changed effective date of P.A. 19-117 from October 1, 2020, to October 1, 2021, effective July 8, 2019; P.A. 21-59 amended Subsec. (a)(2) to redefine “personal information”, redesignate Subpara. (A) as clause (i), Subpara. (B) as clause (iv), Subpara. (C) as clause (v), Subpara. (D) as clause (vi) and added clauses (ii), (iii) and (vii) to (ix) re additional types of personal information in Subpara. (A) and added new Subpara. (B) re user name or electronic mail address; amended Subsec. (b)(1) and (2) to delete provision re conducting business in this state and reference to “ordinary course of such person's business”, amended Subsec. (b)(1) to change 90 days to 60 days, delete provision re completion of investigation by person, add provision regarding notification of additional residents following 60 days after discovery of the breach, delete provision re consultation with law enforcement agencies, and make a technical change, amended Subsec. (b)(2)(B) to replace “nonpublic information” with “personal information” and make a technical change, amended Subsec. (e) to add “, subject to the provisions of subsection (f) of this section”, added new Subsec. (f) re breach of login credentials, redesignated existing Subsec. (f) as Subsec. (g), added Subsec. (h) re persons subject to certain privacy and security standards deemed to be in compliance, added Subsec. (i) re exemption from public disclosure and redesignated existing Subsec. (g) as Subsec. (j).
Structure Connecticut General Statutes
Title 36a - The Banking Law of Connecticut
Chapter 669 - Regulated Activities
Section 36a-645. (Formerly Sec. 36-243a). - Definitions.
Section 36a-646. (Formerly Sec. 36-243b). - Prohibited acts.
Section 36a-647. (Formerly Sec. 36-243c). - Enforcement powers of commissioner. Regulations.
Section 36a-655. (Formerly Sec. 36-364). - Definitions.
Section 36a-660. (Formerly Sec. 36-375). - Licensee's duties. Written agreement required.
Section 36a-661. (Formerly Sec. 36-376). - Prohibited acts.
Section 36a-661a. - Written agreement voidable. Licensee claims for restitution.
Section 36a-662. (Formerly Sec. 36-377). - Regulations.
Section 36a-663. (Formerly Sec. 36-378). - Exceptions.
Section 36a-665. (Formerly Sec. 36-381). - Penalties.
Section 36a-671c. - Exceptions.
Section 36a-671e. - Requirements re mortgage loan originator license.
Section 36a-671f. - Prohibited practices.
Section 36a-675. (Formerly Sec. 36-416). - Short title: Connecticut Truth-in-Lending Act.
Section 36a-676. (Formerly Sec. 36-393). - Definitions.
Section 36a-677. (Formerly Sec. 36-393a). - State policy.
Section 36a-679. (Formerly Sec. 36-395). - Regulations.
Section 36a-680. (Formerly Sec. 36-398). - Effect of inconsistent law.
Section 36a-681. (Formerly Sec. 36-399). - Penalty.
Section 36a-684. (Formerly Sec. 36-414). - Enforcement. Disclosure errors and adjustments.
Section 36a-685. (Formerly Sec. 36-415). - Unenforceable agreements.
Section 36a-686. - Civil penalty. Liability.
Section 36a-695. (Formerly Sec. 36-431). - Definitions.
Section 36a-696. (Formerly Sec. 36-432). - Disclosure to consumer of information re credit report.
Section 36a-697. (Formerly Sec. 36-433). - Exceptions.
Section 36a-698. (Formerly Sec. 36-434). - Regulations.
Section 36a-699. (Formerly Sec. 36-435). - Penalty.
Section 36a-699a. - Written summary of consumer's rights.
Section 36a-699b. - Dispute by consumer re completeness or accuracy of information.
Section 36a-699c. - Procedures by credit rating agency to assure accuracy.
Section 36a-699d. - Credit report for use in credit transaction not initiated by consumer.
Section 36a-699e. - Existing consent judgment or settlement with Attorney General.
Section 36a-699f. - Blocking of information appearing on credit report as result of identity theft.
Section 36a-701. - Security freeze on credit report: Definitions.
Section 36a-701c. - Regulations.
Section 36a-705. (Formerly Sec. 36-442). - Definitions.
Section 36a-706. (Formerly Sec. 36-442a). - Mortgage rate lock-in.
Section 36a-707. (Formerly Sec. 36-442b). - Applicant's remedies.
Section 36a-708. - Prohibited acts by mortgage brokers.
Section 36a-715. (Formerly Sec. 36-442m). - Definitions.
Section 36a-716. (Formerly Sec. 36-442n). - Escrow accounts.
Section 36a-717. (Formerly Sec. 36-442o). - Penalties.
Section 36a-718. (Formerly Sec. 36-442p). - Licenses required. Exemptions.
Section 36a-719b. - Expiration of license. Application for renewal. Fees.
Section 36a-719d. - Records to be maintained by licensee.
Section 36a-719e. - Disclosure of notice and schedule of ranges and categories of costs and fees.
Section 36a-719f. - Compliance with federal laws and regulations.
Section 36a-719g. - Fee schedule. Imposition of late fee or delinquency charge.
Section 36a-719k. - Regulations.
Section 36a-719l. - Exemptions.
Section 36a-725. (Formerly Sec. 36-442aa). - Definitions.
Section 36a-726. (Formerly Sec. 36-442bb). - Disclosure required.
Section 36a-735. (Formerly Sec. 36-443). - Short title: Home Mortgage Disclosure Act.
Section 36a-736. (Formerly Sec. 36-444). - Definitions.
Section 36a-738. (Formerly Sec. 36-446). - Disclosure requirements for financial institutions.
Section 36a-739. (Formerly Sec. 36-448). - Reports by financial institutions. Filing requirements.
Section 36a-741. (Formerly Sec. 36-451). - Cease and desist order. Enforcement action.
Section 36a-743. (Formerly Sec. 36-454). - Commissioner to analyze home financing.
Section 36a-744. (Formerly Sec. 36-455). - Regulations.
Section 36a-746. - Short title: Connecticut Abusive Home Loan Lending Practices Act.
Section 36a-746a. - Definitions.
Section 36a-746b. - Disclosures.
Section 36a-746c. - Prohibited provisions in loan agreement.
Section 36a-746d. - Report of payment history.
Section 36a-746e. - Prohibited acts by lender.
Section 36a-746f. - Purchase of insurance by buyer.
Section 36a-746g. - Refund or credit of charges.
Section 36a-755. (Formerly Sec. 36-9h). - Mortgage appraisal practices. Definitions. Regulations.
Section 36a-757. (Formerly Sec. 36-9u). - Mortgage insurance requirements limited.
Section 36a-760. - Nonprime home loans: Definitions; applicability.
Section 36a-760a. - Duties of lenders and mortgage brokers relating to nonprime home loans.
Section 36a-760b. - Analysis of obligor's ability to pay.
Section 36a-760d. - Requirements for making nonprime home loans.
Section 36a-760e. - Restrictions on provisions in nonprime home loans.
Section 36a-760h. - Additional duties of mortgage brokers.
Section 36a-760i. - Court action based on lender's failure to comply with statutory requirements.
Section 36a-760j. - Prohibition against influencing real estate appraisals.
Section 36a-771. (Formerly Sec. 42-84). - General contract requirements.
Section 36a-773. (Formerly Sec. 42-86). - Insurance.
Section 36a-774. (Formerly Sec. 42-87). - Installment loan contract requirements.
Section 36a-775. (Formerly Sec. 42-88). - Confession of judgment provision invalid.
Section 36a-776. (Formerly Sec. 42-89). - Inclusion of other goods in contract void.
Section 36a-777. (Formerly Sec. 42-90). - Acknowledgment of receipt of notice and statement.
Section 36a-778. (Formerly Sec. 42-91). - Delinquency and collection charges.
Section 36a-779. (Formerly Sec. 42-92). - Assignment of contract.
Section 36a-780. (Formerly Sec. 42-93). - Payments after assignment.
Section 36a-781. (Formerly Sec. 42-94). - Statement of payments made. Receipts.
Section 36a-782. (Formerly Sec. 42-95). - Cancellation of contract on payment in full.
Section 36a-783. (Formerly Sec. 42-96). - Rebate and refund upon prepayment of contract.
Section 36a-784. (Formerly Sec. 42-97). - Renewals and extensions.
Section 36a-785. (Formerly Sec. 42-98). - Foreclosure.
Section 36a-786. (Formerly Sec. 42-99). - Recovery of charges barred by wilful violations.
Section 36a-787. (Formerly Sec. 42-100). - Penalty.
Section 36a-788. (Formerly Sec. 42-100a). - Enforcement action.
Section 36a-800. (Formerly Sec. 42-127). - Consumer collection agency. Definitions.
Section 36a-801a. - Persons engaged in business of collecting child support.
Section 36a-801b. - Collection of child support. Written agreement.
Section 36a-805. (Formerly Sec. 42-131). - Prohibited practices. Exception.
Section 36a-807. (Formerly Sec. 42-131b). - Liability.
Section 36a-808. (Formerly Sec. 42-131c). - Unfair or deceptive practices. Enforcement action.
Section 36a-809. (Formerly Sec. 42-131d). - Commissioner's powers. Regulations.
Section 36a-810. (Formerly Sec. 42-133a). - Penalty.
Section 36a-811. - Maintenance of consumer debtor and creditor records.
Section 36a-812. - Compliance with Fair Debt Collection Practices Act.
Section 36a-813. - Evidence in cause of action for purchased debt owed by consumer debtor.
Section 36a-830. - Exchange facilitator. Definitions.
Section 36a-831. - Change in control of exchange facilitator. Notification to clients.
Section 36a-832. - Fidelity bond. Deposit of exchange funds.
Section 36a-834. - Regulations. Damage claims.
Section 36a-835. - Holding and investment of exchange funds.
Section 36a-836. - Prohibited activities of exchange facilitators.
Section 36a-837. - Civil action. Notice.
Section 36a-846. - Definitions.
Section 36a-847b. - Exemptions.
Section 36a-849. - Records to be maintained by licensee.
Section 36a-850. - Prohibited activities of student loan servicers and control persons.
Section 36a-853. - Compliance with federal laws and regulations.
Section 36a-854. - Regulations.
Section 36a-855. - Action for damages, fees, costs and equitable relief. Class actions.