On February 19, Senate and House leadership filed a data security proposal at the request of Governor Dan Malloy (D-CT). The bill, SB 949, was introduced in response to the Anthem Insurance breach, and is now part of the Governor's budget. Connecticut Attorney General George Jepsen (D), who has been leading the state's investigation into the breach, is likely to become involved in the consideration of this legislation.
SB 949 would have a significant impact on companies doing business with the state by imposing very stringent requirements on state contractors who have suffered a breach or a suspected breach affecting the personal information of Connecticut residents. Specifically, the bill stipulates that a contractor shall:
- Notify the state contracting agency and the Attorney General as soon as practical, but not later than 24 hours after the contractor becomes aware of or suspects that any confidential information that the contractor possesses or controls has been subject to a breach or suspected breach.
- Immediately cease all use of the data provided by the state contracting agency or developed internally by the contractor; and
- Not later than three business days after the notification, submit to the office of the Attorney General and the state contracting agency either a report detailing the breach and a plan to mitigate the effects of the breach and specifying the steps taken to ensure future breaches do not occur, or a report detailing why, upon further investigation, the contractor believes no breach has occurred.
Following a review of the contractor's report, the state contracting agency would have sole discretion under the bill to authorize the contractor to resume using Connecticut residents' information or to cancel the agreement. The bill also sets penalties for contractors of up to $1,000 per individual affected by the breach.
Several bills have been filed in response to the Anthem Insurance breach, including legislation in the Senate that would require all vendors, as a condition of entering into a contract with the state, to encrypt all personal information records. However, SB 949 will likely see movement as it has the Governor's backing.
For more information, please contact Russ Guarna at [email protected] or Kevin Callahan at [email protected].