Get access to the exclusive HR Resources you need to succeed in 2018.
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 14 cities across the U.S. this fall.
Gain the skills you need to rise to the next level in your career. Jon us at SHRM's Leadership Development Forum, October 2-3 in Boston.
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Beginning Oct, 1, 2015, companies that experience a data breach affecting a Connecticut resident must offer that individual free identity-theft prevention services and, if applicable, identity theft mitigation services for at least one year. The breach must include the resident’s name and Social Security number (SSN).
The new law, Public Act No. 15-142, signed by Gov. Dannel Malloy on June 11, amends the state’s current breach notification mandate to require covered businesses to offer one year of free identity-theft protection service to each Connecticut resident affected by a data breach of certain personal information, including the resident’s name and SSN.
The new law also requires that if such services have to be provided, the notification to the affected residents must inform the recipients how to enroll in the services and how to place a credit freeze on their credit file.
The law also tightens the timeframe for providing all breach notifications (not just those involving free theft protection services). Breach notifications must continue to be made without unreasonable delay; effective Oct. 1, 2015, however, such notifications may not be made later than 90 days after the discovery of the breach, unless a shorter time is required under federal law.
The new mandate has significant implications for companies that have breaches involving SSNs affecting individuals in states such as Connecticut. Companies might feel compelled to offer identity theft protection services to all affected individuals, not just Connecticut residents. Of course, many businesses already provide similar services, but not in all cases.
In addition, businesses should consider evaluating possible providers of identity theft protection services ahead of time to be ready to move quickly in the event of a breach that triggers the new mandate. Some have read the California breach notification law to have a mandate similar to Connecticut’s, requiring one year of free identity theft protection services (the California law is not as clear as the Connecticut law).
Businesses also should determine the scope of services that needs to be offered. A cottage industry of credit monitoring, identity theft protection and remediation services has emerged, some companies offering more extensive and thorough services than others, at varying costs. While the Connecticut law contains no minimum requirements for identity theft prevention or mitigation services, companies should consider the different service providers and levels of service in the marketplace to ensure their needs will be met.
During the legislative process, Connecticut Attorney General George Jepsen acknowledged that the law would set only “a floor for the duration of the protection” and his office may continue to “seek broader kinds of protection.” In particular, in cases where a data breach involves more sensitive personal information, the attorney general stated he would continue this practice of seeking two years of identity theft prevention or mitigation services, even though the statute requires only one year.
Jackson Lewis represents management exclusively in workplace law and related litigation. Republished with permission. © 2015 Jackson Lewis. All rights reserved.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 10,000 companies