As part of our ongoing efforts to keep you up-to-date concerning information security legislation around the country, this post covers a fairly recent Connecticut law of interest to information security professionals, executives, risk managers, and attorneys.
Connecticut enacted a new data protection law that became effective October 31, 2008. It includes both protection of Social Security Numbers and a broad data protection requirement. The Governor signed HB 5658 into law on June 10, 2008, and it became Public Act No. 08-167, entitled “An Act Concerning the Confidentiality of Social Security Numbers” (“Connecticut Act”).[1]
Although billed as a Social Security Number protection law, the provision having the most impact from a data protection standpoint is its first section, which requires “any person in possession of personal information of another person” to “safeguard the data, computer files and documents containing the information from misuse by third parties.” Connecticut Act § 1. By covering any person with others’ personal information, the law is broad in scope, covering businesses holding customer information, governmental entities, and employers. The Connecticut Act makes the state one of a modest number of states adopting general data protection laws analogous to California’s AB 1950.[2] The Act applies to both electronic and paper information.
Perhaps most significant, “Personal information” also has a broad definition, and means any “information capable of being associated with a particular individual through one or more identifiers.” Id. § 1(c). The Connecticut definition includes the common California SB 1386[3] identifiers: Social Security Numbers, driver’s license numbers, account numbers, and credit or debit card numbers,[4] as well as additional identifiers such as passport number and health insurance identification numbers. But most importantly, unlike other state laws, “personal information,” is not limited to these categories. The definition covers any identifiers that can associate information with an individual. Moreover, the law does not expressly limit its scope to “personal information” about Connecticut residents. Thus, the law may cover both Connecticut businesses holding personal information about other states’ residents, or businesses located outside Connecticut that hold personal information about Connecticut residents.
In addition, the Connecticut Act calls for covered persons to “destroy, erase or make unreadable” any personal information, whether paper or electronic, before disposal. Connecticut Act § 1. Therefore, Connecticut joins states such as California with laws mandating that any data disposal of personal information be done in a secure manner.[5]
The Connecticut Act also requires security planning for Social Security Numbers. “Any person who collects Social Security numbers in the course of business” must create and publish or “publicly display” a “privacy protection policy.” Connecticut Act § 1(b). “Publicly display” can include publication on a web page. Id. The policy must protect the confidentiality of the SSNs, prohibit unlawful disclosure, and limit access to them. Id. Again, the statute covers a wide variety of entities, which would include businesses holding customer SSNs, or employers.[6]
The civil penalty for violating the Connecticut Act is $500 per violation, subject to a $500,000 cap for a single event. Id. § 1(e). The penalty section, though, statues that “[i]t shall not be a violation of this section if such violation was unintentional.” Id. Thus, no penalties apply to unintentional violations.[7]
[1] A copy of the Act appears here: http://www.cga.ct.gov/2008/ACT/Pa/pdf/2008PA-00167-R00HB-05658-PA.pdf.
[2] Cal. Civil. Code § 1798.81.5.
[3] Cal. Civil. Code §§ 1798.29, 1798.82.
[4] Also unlike SB 1386, the Connecticut law does not mention access codes, security codes, or password in combination with an account or card number. Thus, the account or card number alone may be a sufficient identifier for an individual.
[5] Cal. Civil. Code § 1798.81.
[6] One could argue that although a business must “create” a privacy protection policy for SSNs, nothing in the law actually requires the business to implement the policy or any safeguards called for in the policy. The Connecticut Act says that the “policy shall” protect SSNs but nothing about implementing or maintaining security policies, practices, or safeguards. Id. By contrast, other laws say that health care providers must “implement and maintain” security practices, such as California’s AB 1950. Cal. Civil Code § 1798.81.5. Businesses making an intentional decision not to implement the required policy based on such a cramped reading of the statute, however, are taking a risk of a finding of an intentional violation. Nonetheless, it is unclear to what extent businesses must implement safeguards to protect SSNs
[7] Moreover, the broad scope of this sentence about unintentional violations – applying an exception for unintentional violations to the whole “section” of the Connecticut Act – may limit the extent of enforcement of the entire law. A requirement of intentional conduct for a violation arguably means that negligent conduct is excluded. It is not clear whether recklessness or gross negligence would constitute a violation. Thus, it is not clear whether a business that unintentionally compromised personal information, but did so negligently, would face any consequences under the Connecticut Act for failing to safeguard personal information. Nonetheless, negligent failures to protect personal information or SSNs may give rise to liability under other law and causes of action, such as negligence, negligence per se, or violation of the Connecticut Unfair Trade Practices Act (Conn. Gen. Stat. § 42-110b).