Connecticut Enacts Two Bills Regarding Data Privacy Breaches and Cybersecurity

Connecticut recently enacted two bills, House Bill 5310 (HB 5310) and House Bill 6607 (HB 6607), regarding data privacy breaches and cybersecurity standards for businesses, respectively.  Both bills become effective on October 1, 2021.

Among other matters, HB 5310 expands the types of personal information triggering required notice of a data breach, including medical and biometric information, shortened the maximum period by which notification must be made from 90 to 60 days following discovery of a breach, and requires notice as expediently as possible if it is discovered that personal information was, or reasonably believed to have been, breached following such 60 day period.   

HB 6607 prevents the Connecticut Superior Court from assessing punitive damages against a covered entity for a data breach of personal or restricted information if the covered entity meets specified cybersecurity requirements.  The safe harbor also applies in instances where cybersecurity programs meet applicable state or federal laws and regulations.