It has become standard operating procedure for companies to offer some form of credit monitoring services to individuals affected by a data breach, but the length of time and services provided often vary. Concerned states, including Connecticut, are now imposing requirements on businesses that suffer a data breach.
Beginning October 1, 2015, companies doing business in the state (even if they have no physical location in the state) that experience a data breach affecting a Connecticut resident must offer that individual free identity-theft prevention services and, if applicable, identity theft mitigation services for at least one year. The breach must include the resident's name and Social Security number (SSN).
Companies that maintain cyber insurance policies which cover breaches of personal information may find that those policies will cover the cost of similar services. Of course, these companies should work with their brokers and other counsel to ensure the policies would be sufficient to cover the insured's obligations under this change in Connecticut's law. Companies without insurance may want to consider whether an insurance or similar product would be needed to address this and similar law changes making data breach response increasingly more expensive.
The new law, Public Act No. 15-142, signed by Governor Dannel Malloy on June 11, amends the state's current breach notification mandate to require covered businesses to offer one year of free identity-theft protection service to each Connecticut resident affected by a data breach of certain personal information, including the resident's name and SSN.
The new law also requires that if such services have to be provided, the notification to the affected resident(s) must tell the recipient(s):
- how to enroll in the services, and
- how to place a credit freeze on their credit file.
The law also tightens the timeframe for providing all breach notifications (not just those involving free theft protection services). Breach notifications must continue to be made without unreasonable delay; effective October 1, 2015, however, such notifications may not be made later than 90 days after the discovery of the breach, unless a shorter time is required under federal law.
Editor's Note: A previous version of this article was first published in the Jackson Lewis Workplace Resource Center.
(Photo: Shutterstock/g-stockstudio)
What companies should do now
The new mandate has significant implications for companies that have breaches involving SSNs affecting individuals in states such as Connecticut. Companies might feel compelled to offer identity theft protection services to all affected individuals, even though the Connecticut law as amended only requires the monitoring be provided for affected Connecticut residents. Of course, many businesses already provide similar services, but not in all cases.
In addition, businesses should consider evaluating possible providers of identity theft protection services ahead of time to be ready to move quickly in the event of a breach that triggers the new mandate. Some have read the California breach notification law to have a mandate similar to Connecticut's, requiring one year of free identity theft protection services (the California law is not as clear as the Connecticut law).
Businesses also should determine the scope of services that needs to be offered. A cottage industry of credit monitoring, identity theft protection and remediation services has emerged, some companies offering more extensive and thorough services than others, at varying costs. Although the Connecticut law contains no minimum requirements for identity theft prevention or mitigation services, companies should consider the different service providers and levels of service in the marketplace to ensure their needs will be met.
During the legislative process, Connecticut Attorney General George Jepsen acknowledged that the law would set only "a floor for the duration of the protection" and his office may continue to "seek broader kinds of protection." In particular, in cases in which a data breach involves more sensitive personal information, the AG stated he would continue this practice of seeking two years of identity theft prevention or mitigation services, even though the statute requires only one year.
Joseph J. Lazzarotti is a Shareholder in the Morristown, New Jersey office of Jackson Lewis P.C. He founded and currently helps to lead the firm's Privacy, e-Communication and Data Security Practice, edits the Firm's Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.