Several years ago, Connecticut passed a law that, for the first time, required employers to take special precautions to protect the personal data of their employees. 

For a refresher, you can see my prior posts here and here

Now, there is news of some tweaks to the law with some implications for employers and companies.  My colleague, Steve Bonafonte, has this update:

For those of us who were watching proposed legislation on data breaches unsuccessfully move its way through the 2012 General Session, we see now that it was passed as part of the Connecticut General Assembly’s Special Session by attaching it as Section 130 of the Budget Bill.

The new statute, Section 36a-701b, is effective October 1, 2012. 

It requires the reporting of a “breach of security” to the Connecticut Attorney General.  This is in addition to any other data breach reporting requirements that exist in the Connecticut Statutes or promulgated by industry regulators (e.g., Connecticut Department of Insurance Bulletin IC-25).   

Failure to comply constitutes an unfair trade practice under Connecticut General Statutes Section 42-110b  and is enforceable by the Attorney General.

What’s the takeaway for employers? This is yet another reminder that businesses should have a system to monitor and adjust internal data breach response policies and procedures in order to comply with these actively changing laws, particularly when it comes to protecting the private information of your employees.

While Connecticut-based businesses ought to give special attention to Connecticut law, the laws of other states may apply if you maintain or use personal information of residents of those states.   Additionally, these laws are increasingly providing for more active enforcement mechanisms that enable monetary damages or fines – both of which can be costly to defend and harmful to the brand reputation of the business if reported in the media.