Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 90 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws may result in civil penalties of up to $5,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Data owner must provide affected individuals with twenty-four (24) months of identity theft services and mitigation at no cost to the individuals, in the event of s data breach.
  • There are education-sector specific vendor contract requirements that establish the need for breach of security obligation provisions.
  • Specific data protection requirements for health insurers and healthcare entities may apply.
  • Statutes for entities regulated by the Insurance Commissioner have a notification deadline of 5 days.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • 743dd CT Stat § 42-471 Protection of Social Security Numbers and Personal Information (2000)
  • CT Gen Stat § 38a-999b Comprehensive Information Security Program (2015)
  • CT Gen Stat § 36a-701b Breach of Security (2012)
BAck to map