Any business handling credit card transactions, confidential health or financial information needs to take heed of important new amendments to Connecticut’s security breach notification laws. Effective October 1, 2012, new subsection (b)(2) of the existing Connecticut General Statutes Sec. 36a-701 Data Breach Notification Statute requires that the Connecticut Attorney General’s Office be notified of a data breach. Prior to this enactment, Connecticut and other New England states were on the forefront of these consumer protection breach laws requiring anyone doing business in their state to provide notice of a computerized security breach without unreasonable delay to residents who may have been affected. As part of the Connecticut Attorney General’s Privacy Task Force, a dedicated webpage detailing these new reporting requirements is available at www.ct.gov/ag.
An important lesson from this new law is that unless these new notification provisions are carefully followed, the Attorney General’s office will also have a crack at assessing additional fines. The good news is that there is a “safe harbor” built into some of these regulations so that if businesses are fully compliant with the Payment Card Industry’s Data Security Standards (often called PCI-DSS) at the time the breach occurred they will likely get a “get out of jail free card” with no fines accessed by the credit card industry.
Given the prolific amount of malware and organized crime activity occurring on the internet, businesses can’t be too cautious about regularly updating their internet security tools and accessing potential risks. Many of the data breaches occurring today aren’t always caused by criminals. They’re just as often caused by careless handling of customers’ personal information on the devices that store or transmit information and failing to update security tools. Regularly updating computer security, training employees, restricting user access and understanding the legal requirements will help businesses stay ahead of the costly aftermath of a data breach. If businesses outsource these functions to third party vendors, it’s critical to verify they meet or exceed current security standards on all networks and devises.
Sufficient encryption, secure passwords, limited user access, regularly updating all firewall and anti-virus software on all devises that use, store or transmit data is critical to data breach prevention. The small cost of regularly conducting audits, upgrading security tools and training staff is well worth the investment compared to the high-cost of a data breach. Only after forensics has been completed with the clock running will the breached entity know just how many individuals, Attorney Generals, banking institutions, local law enforcement and FBI officials or other regulators will need to be notified. The aftermath to a breached entity will be much more than the sum of its legal expenses, costs of forensics, notification costs, fines and penalties. Data breach is much more than an IT issue, it is critical to business survival. Ensuring your business meets or exceeds all applicable security standards and carefully training staff is one of best ways to avoid a breach and the serious consequences that follow.
If you missed our articles in the Hartford Business Journal and Connecticut Law Tribune on these important new requirements under Connecticut State law, reprints of the full article are available on request.
Attorney Tegan Blackburn based in Simsbury, Connecticut has two decades of experience as in-house and outside counsel advising retail, banking, restaurant, healthcare, technology and other clients on general business and corporate matters, including compliance issues and data breach response.
Last Updated (Wednesday, 13 February 2013 21:34)