13 views 2 mins 0 comments

Connecticut Senate Bill Raises the Stakes on Data Breach Response for “Massive” Breaches

In Legal News
February 28, 2026

If a bill introduced in the Connecticut Senate ever becomes law, there will be new requirements for entities whose breaches affect more than 100,000 Connecticut residents. As attorneys from Ballard & Spahr explain:

A new bill introduced in Connecticut—Connecticut Senate Bill 117, An Act Concerning Breaches of Security Involving Electronic Personal Information—would create mandatory forensic examination requirements for entities that experience a “massive breach of security,” defined as a data breach affecting at least 100,000 Connecticut residents, and imposes substantial penalties for noncompliance.

SB 117 would require entities that experience a “massive breach of security” to:

  • Immediately retain a qualified third-party forensic examiner to conduct a forensic examination of the computer or computer system that was the subject of the data breach and to prepare a detailed forensic report disclosing how the breach occurred and its root causes;
  • Submit the detailed forensic report to the Connecticut Attorney General within 90 days of discovering the breach; and
  • Face civil penalties of $100,000 for small businesses and $500,000 for other entities for noncompliance.

Read more at JD Supra. The second provision above is certain to raise a lot of concerns and opposition. The language of the bill with respect to this requirement states:

(i) All documents, materials and information provided in response to an investigative demand issued pursuant to subsection (c) of section 42-110d in connection with the investigation of a breach of security, [as defined by this section] and all forensic reports provided to the Attorney General pursuant to subsection (i) of this section, shall be exempt from public disclosure under subsection (a) of section 1-210, provided the Attorney General may make such documents, materials, [or] information or forensic reports available to third parties in furtherance of such investigation.

If Connecticut’s Attorney General collaborates in a multi-state investigation of a breach that affects more than 100,000 Connecticut residents, and the entity duly submits the required forensics report, could that report then become part of a multi-state investigation?