Connecticut currently has a data breach notification law on its books. Like many states, the use of encryption tools, such as full disk encryption for laptop data protection, provides safe harbor from sending out notification letters in the event of a data breach. I just had to take a look into it after yesterday's post on Connecticut's insurance data breach notification directive. The state's notification law is surprisingly short.
Connecticut currently has a data breach notification law on its books. Like many states, the use of encryption tools, such as full disk encryption for laptop data protection, provides safe harbor from sending out notification letters in the event of a data breach.
I just had to take a look into it after yesterday's post on Connecticut's insurance data breach notification directive.
The state's notification law is surprisingly short.
Connecticut is one of those states that does not twist language and logic in order to essentially say, "if you used encryption to protect data, you're golden." Many state laws provide safe harbor by defining personal information as "unencrypted personal information." Then, they mandate notification letters in the event of a data breach of personal information. Since encrypted personal information is by definition not personal information (see how convoluted that is?), the breach of encrypted personal information does not require breach notifications. No such non-sense with Connecticut. Here's their definition of a breach: For purposes of this section, "breach of security" means unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [Sec. 36a-701b(a)] Oh, my! How stupendously direct and clear that is! Honestly, I've got to congratulate the Connecticut legislature for making things so easy to comprehend. I mean, certainly there are loopholes (would password-protection be considered a method that "renders the personal information unreadable or unusable?" I would not). However, you don't have jump and hop over different sections to figure out what's going on. Note how the breach is relegated to computerized data only. This is something of an antiquated definition of a data breach. Notification ought to be extended to paper records as well, just like the CT Insurance Commissioner mandated to its registered entities. In fact, many states are updating data breach notification laws to include information breaches of paper documents.
Connecticut is one of those states that does not twist language and logic in order to essentially say, "if you used encryption to protect data, you're golden." Many state laws provide safe harbor by defining personal information as "unencrypted personal information." Then, they mandate notification letters in the event of a data breach of personal information.
Since encrypted personal information is by definition not personal information (see how convoluted that is?), the breach of encrypted personal information does not require breach notifications. No such non-sense with Connecticut. Here's their definition of a breach:
For purposes of this section, "breach of security" means unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. [Sec. 36a-701b(a)]
Oh, my! How stupendously direct and clear that is! Honestly, I've got to congratulate the Connecticut legislature for making things so easy to comprehend.
I mean, certainly there are loopholes (would password-protection be considered a method that "renders the personal information unreadable or unusable?" I would not). However, you don't have jump and hop over different sections to figure out what's going on.
Note how the breach is relegated to computerized data only. This is something of an antiquated definition of a data breach. Notification ought to be extended to paper records as well, just like the CT Insurance Commissioner mandated to its registered entities.
In fact, many states are updating data breach notification laws to include information breaches of paper documents.
According to the law "personal information" is the first name (or initial) and last name combined with: Social security number Driver's license or state ID information Financial information, such as account numbers, credit card numbers, etc. Nothing surprising here.
According to the law "personal information" is the first name (or initial) and last name combined with:
Nothing surprising here.
There are no specifics on what needs to be included in notification letters, although this is not uncommon. Many states do not specify content requirements, although those that do generally tend to include the following: The incident in general terms; The type of personal information that was subject to the unauthorized access and acquisition; The general acts of the individual or entity to protect the personal information from further unauthorized access; A telephone number that the person may call for further information and assistance, if one exists; and Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports. There are exceptions to sending notification letters if the cost of doing so involves or exceeds 500,000 people or $250,000, respectively. In that case, substitute notices can be sent out as long as all of the following are adhered to: E-mail is sent out, for affected persons whose electronic addresses are on file Conspicuous posting on the breached entity's website Notification to state-wide media
There are no specifics on what needs to be included in notification letters, although this is not uncommon. Many states do not specify content requirements, although those that do generally tend to include the following:
There are exceptions to sending notification letters if the cost of doing so involves or exceeds 500,000 people or $250,000, respectively. In that case, substitute notices can be sent out as long as all of the following are adhered to:
No specific penalties are listed for not complying with CT's breach notification legislation. However, Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General. [Sec. 36a-701b(g)] I would suggest the use of AlertBoot endpoint encryption vs. having to deal with all of the above if and when things go awry. I mean, why not take advantage of a safety net (in the form of encrypted data) if you're being afforded one?
No specific penalties are listed for not complying with CT's breach notification legislation. However,
Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General. [Sec. 36a-701b(g)]
I would suggest the use of AlertBoot endpoint encryption vs. having to deal with all of the above if and when things go awry. I mean, why not take advantage of a safety net (in the form of encrypted data) if you're being afforded one?
Related Articles and Sites:http://www.cga.ct.gov/2009/pub/chap669.htm#Sec36a-701b.htm