On June 15, 2012, Connecticut Governor Dan Malloy signed House Bill 6001, legislation to implement provisions of the state budget for the 2012-2013 fiscal year.  Included in the legislation was a series of amendments to Connecticut’s breach notification law.  The most significant set of amendments to the breach notification law added a requirement to report breaches to the Connecticut Attorney General. 

To download a copy of HB 6001, click here.  The amendments to the breach notification law appear on pages 137-138 of the pdf.  They amend Section 36a-701b of the Connecticut General Statutes.  The amendments will become effective on October 1, 2012. 

The key amendment states that if a breach notification is required, the party making the notification to Connecticut residents must also provide notice of the breach to the Attorney General of Connecticut.  Regarding the timing of the breach notification to the AG, the notification must be provided no later than the notification to affected Connecticut residents. See Conn. Gen. Stat. 36a-701b(b)(2). 

Other amendments make it clear that breach notifications may run from a party that maintains personal information, but does not own it, to the owner or licensee of that personal information, as well as from a notifying party to an affected resident.  Connecticut also dovetails its breach notification law with parties having internal breach notification procedures or financial institutions covered by the Gramm-Leach-Bliley Act.  Parties making notifications under internal procedures and GLB are deemed to have complied with the Connecticut breach notification law.  Under the HB 6001 amendments, however, these parties must also notify the AG of the breach.  The remaining amendments are clarifications of the existing language of the statute. 

In response to these amendments, businesses covered by the Connecticut breach notification law should ensure that they add AG reporting to their breach response procedures. 

Stephen Wu

Partner, Cooke Kobrick & Wu LLP