If a bill introduced in the Connecticut Senate ever becomes law, there will be new requirements for entities whose breaches affect more than 100,000 Connecticut residents. As attorneys from Ballard & Spahr explain:
A new bill introduced in Connecticut—Connecticut Senate Bill 117, An Act Concerning Breaches of Security Involving Electronic Personal Information—would create mandatory forensic examination requirements for entities that experience a “massive breach of security,” defined as a data breach affecting at least 100,000 Connecticut residents, and imposes substantial penalties for noncompliance.
SB 117 would require entities that experience a “massive breach of security” to:
- Immediately retain a qualified third-party forensic examiner to conduct a forensic examination of the computer or computer system that was the subject of the data breach and to prepare a detailed forensic report disclosing how the breach occurred and its root causes;
- Submit the detailed forensic report to the Connecticut Attorney General within 90 days of discovering the breach; and
- Face civil penalties of $100,000 for small businesses and $500,000 for other entities for noncompliance.
Read more at JD Supra. The second provision above is certain to raise a lot of concerns and opposition. The language of the bill with respect to this requirement states:
(i) All documents, materials and information provided in response to an investigative demand issued pursuant to subsection (c) of section 42-110d in connection with the investigation of a breach of security, [as defined by this section] and all forensic reports provided to the Attorney General pursuant to subsection (i) of this section, shall be exempt from public disclosure under subsection (a) of section 1-210, provided the Attorney General may make such documents, materials, [or] information or forensic reports available to third parties in furtherance of such investigation.
If Connecticut’s Attorney General collaborates in a multi-state investigation of a breach that affects more than 100,000 Connecticut residents, and the entity duly submits the required forensics report, could that report then become part of a multi-state investigation?
