On June 30, 2015, Connecticut Governor Dannel Malloy signed into law Senate Bill 949, “An Act Improving Data Security and Agency Effectiveness”, a data privacy and security bill that creates stricter data breach response requirements.  S.B. 949 specifies that an entity that experiences a data breach must give notice to those affected no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”  Previously, Connecticut law only required entities to provide notice of a data privacy breach to affected individuals “without unreasonable delay.”

During a press conference on June 2, 2015, Attorney General George Jepsen clarified that 90 days is the floor – not the ceiling.  He stated that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”  Projected to become effective October 1, 2015, S.B. 949 also requires entities affected by breaches to provide at least one year of free identity theft prevention services for breaches involving the resident’s name and Social Security number.