Connecticut Expands Data Breach Notification Requirements and Establishes a Cybersecurity "Safe Harbor"

Connecticut has become the third state to enact a cybersecurity safe harbor statute.

On June 16 and July 6, 2021, Connecticut Governor Ned Lamont signed two new cybersecurity laws that continue the national trend of expanding cyber incident disclosure obligations, shortening notification timelines, and incentivizing the implementation of recognized cybersecurity standards. Both laws take effect on October 1, 2021.

"An Act Concerning Data Privacy Breaches" Amends Connecticut's Existing Data Breach Law

The amended data breach law includes three key changes:

  • The time businesses have to notify affected Connecticut residents and the Office of the Attorney General of a data breach has been shortened from 90 days to no later than 60 days after discovery of the breach;
  • If notice cannot be effected within the new 60-day window, a novel and significant amendment requires companies to provide preliminary substitute notice to individuals, and follow up with direct notice as soon as possible; and
  • The law significantly expands the definition of "personal information" that may trigger notification obligations to include an IRS identity protection personal identification number, certain medical information, biometric information, a user name or email address in combination with a password or security question and answer (regardless of whether or not the individual's name is accessed in combination with it), and a number of other data elements commonly included in other states' data breach notice laws. 

"An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses" Establishes a Cybersecurity "Safe Harbor" Statute

The new law will establish an affirmative defense against tort claims alleging that a business's failure to implement reasonable cybersecurity controls caused a data breach. Businesses that have created, maintained, and complied with a written cybersecurity program can take advantage of this "safe harbor" if their written cybersecurity program complies with one or more of the industry-recognized frameworks (such as the National Institute of Standards and Technology's Cybersecurity Framework or the Center for Internet Security's Critical Security Controls) or applicable federal laws (such as the cybersecurity requirements of the Health Insurance Portability and Accountability Act). 

Connecticut is the third state, after Ohio and Utah, to enact a cybersecurity safe harbor statute.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.