/*

We value your privacy

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions. Cookie Policy

Customise Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorised as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

Performance cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.

/*]]>*/
TEKRiSQ | Technology Risk Assessment Platform  

Connecticut Cybersecurity & Privacy Laws

January 2, 2025

How Can We Help?

Created On
byadmin
You are here:
< Back

Connecticut State data security naic cyber insurance risk assessment wisp incident response subjectivities define rmm flaw hypothesis methodology high assurance guard TPRM CISO

Connecticut has enacted several laws to address cybersecurity, data security, insurance security, and privacy. Connecticut Cybersecurity Privacy Law is thorough. Here’s a breakdown of the key aspects of each:

1. Cybersecurity Laws:

  • Connecticut Data Privacy Act (CTDPA): Effective July 1, 2023, the CTDPA requires companies processing a certain amount of consumer personal data to employ reasonable cybersecurity practices to prevent unauthorized access or theft. While it doesn’t explicitly mandate encryption, using it for storing and transmitting personal data is generally considered a reasonable practice.  
  • Incentives for Cybersecurity Programs: State law incentivizes businesses that handle personal or restricted information to establish and maintain a written cybersecurity program with administrative, technical, and physical safeguards that align with an industry-recognized framework. Compliance can offer protection against punitive damages in data breach lawsuits, unless the failure to implement reasonable controls resulted from gross negligence or willful misconduct. 
  • Reasonable Security Practices: Entities storing personal data on internet-connected systems must implement reasonable cybersecurity measures, including up-to-date firewalls, virus detection software, and regular security patches and updates. Failure to maintain reasonable safeguards can lead to civil penalties of up to $5,000 per violation. 
  • Insurance Data Security Law: Requires licensed insurance companies to develop, implement, and maintain a comprehensive written information security program based on a risk assessment. This includes determining if encryption or other appropriate means are needed to safeguard nonpublic information during transmission and storage. 

2. Data Security Laws:

  • Connecticut Data Privacy Act (CTDPA): As mentioned above, this act mandates reasonable data security practices for covered entities to protect personal data.
  • Connecticut General Statutes § 743dd: Requires certain businesses to create a privacy policy detailing how they protect the personal identifying information of their customers and other parties whose data they possess. 
  • Insurance Data Security Law (CGA § 38a-38(c)): Obligates licensed insurance companies to establish and maintain a comprehensive written information security program. 
  • Data Breach Notification Requirements: Connecticut law has been updated to broaden the definition of “personal information” requiring notification and shorten the timeline for reporting a “breach of security” to “without unreasonable delay, but not later than 60 days.” The definition of personal information now includes IRS-issued PIN numbers, government-issued ID numbers, medical information, and health insurance numbers.  

3. Insurance Security Laws:

  • Insurance Data Security Law (Conn. Gen. Stat. § 38a-38): This law, modeled after the National Association of Insurance Commissioners’ model law, applies to entities licensed by the Connecticut Insurance Department. It requires them to:
    • Develop, implement, and maintain a written comprehensive information security program based on a risk assessment. This program must include administrative, technical, and physical safeguards appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the nonpublic information it uses or possesses.
    • Conduct risk assessments to identify reasonably foreseeable internal and external threats.
    • Implement controls such as employee training, secure system design, access restrictions, and regular testing and monitoring.
    • Investigate cybersecurity events and report them to the Insurance Commissioner as promptly as possible, but no later than three business days after the event, if it is reasonably likely to materially harm their business or a Connecticut consumer.
    • Notify consumers affected by a data breach in accordance with the state’s existing data breach notification law (within 60 days). A copy of this notice must also be provided to the Insurance Commissioner.
    • Require third-party service providers to implement appropriate security measures.
    • Domestic insurers must annually certify compliance with the Act, beginning February 15, 2021. 
  • Connecticut Insurance Information and Privacy Protection Act (Title 38a, Chapter 705): This act focuses on the fair information practices in the insurance industry, defining how insurers collect, use, and disclose information. It includes provisions on:
    • Notice of information practices to consumers.
    • Consumer rights to access and correct their recorded personal information. 
    • Limitations on the disclosure of information.
    • Prohibitions on using pretext interviews. 
    • Requirements for specifying questions for marketing or research purposes.
    • Procedures for adverse underwriting decisions.

      

4. Privacy Laws:

Connecticut Cybersecurity Privacy Law addresses several rights.

  • Connecticut Data Privacy Act (CTDPA): This is the primary comprehensive consumer privacy law in Connecticut, granting Connecticut residents several rights regarding their personal data, including:
    • Right to Access: The right to confirm if a controller is processing their personal data and to access that data.
    • Right to Correct: The right to correct inaccuracies in their personal data.
    • Right to Delete: The right to delete their personal data.
    • Right to Obtain a Copy (Data Portability): The right to obtain a copy of their personal data in a portable and readily usable format.  
    • Right to Opt-Out: The right to opt out of the processing of their personal data for:
      • Targeted advertising.  
      • The sale of personal data.  
      • Profiling in connection with automated decision-making that could have legal or similarly significant effects. 

      

  • Universal Opt-Out Mechanism: As of January 1, 2025, businesses covered under the CTDPA must honor universal opt-out preference signals sent by Connecticut residents, allowing them to automatically communicate their opt-out preferences for targeted advertising and the sale of personal data.   
  • Consent Requirements: Controllers must obtain consent to process sensitive data, which includes data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sex life, sexual orientation, or citizenship/immigration status, as well as genetic and biometric data. For consumers under 16, opt-in consent is required for selling their data or processing it for targeted advertising.   
  • Privacy Notice: Controllers must provide a clear and accessible privacy notice detailing the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of personal data shared with third parties, and contact information for the controller.  
  • Data Minimization: Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the specified processing purposes. 
  • Non-Discrimination: Controllers cannot discriminate against consumers for exercising their privacy rights. 
  • Online Privacy Act Amendments: Recent amendments have introduced specific protections for children’s data and require social media platforms to allow minors to “unpublish” and delete their accounts. Controllers providing online services to minors must also use reasonable care to avoid heightened risks of harm and conduct data protection assessments.

It’s important to note that these laws have specific applicability thresholds, definitions, and exemptions. Businesses operating in Connecticut should carefully review these regulations to ensure compliance.

In the state of Connecticut, any business that experiences a data breach is required to investigate the likelihood that personal information will be misused. Businesses are legally required to notify affected Connecticut residents as soon as possible by mail, telephone, or electronic means. If the security breach affects more than 500,000 people or the cost of notification exceeds $250,000, other means of notification can be used (e.g., public service announcements). When notifying affected residents, the attorney general must also be notified. See below for details on CT’s data breach laws.

Banking Law Of Connecticut

Name of Law / StatuteBanking Law of Connecticut
Definition of Protected InformationCombination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes.
Who Is Subject to Law?Any person or business conducting business in the state who licenses or maintains PI in the course of business
Notification of Consumers?Yes, unless determination of no harm by business AND government agency in conjunction
By what means?Written, electronic, or phone
Substitute Notice Threshold?If cost of notice >$250,000 or involves >500k residents
Notification of authorities / regulators required?Yes, within same timeframe as to consumers
By what means?Email
Regulatory FinesYes
Credit monitoring requirement?No
Private lawsuits allowed?No
Private damages cap?N/A
Regulatory actions allowed?N/A
HIPAA Compliance exemption?N/A
Other  (e.g., timeframe)Law does not apply if PI was encrypted or otherwise secured
Link to complete lawhttp://law.justia.com/codes/connecticut/2012/title-36a/chapter-669/section-36a-701b

Read the full text of Connecticut’s data breach law for more

Tags:

© Copyright 2025 TEKRiSQ, INC. All rights reserved.
Website by: Colophon

TEKRiSQ BBB Business Review