General Assembly Raised Bill No. 117 seeks to strengthen the legal framework surrounding breaches of security involving electronic personal information. It introduces new definitions, such as "Breach of security" and "Massive breach of security," the latter defined as incidents affecting at least 100,000 residents due to unauthorized access. The bill expands the definition of "Personal information" to include various identifiers like Social Security numbers and biometric data, while excluding publicly available information. It mandates that entities with computerized data must notify affected residents of any breaches within 60 days, notify the Attorney General, and provide identity theft prevention services for at least two years. The bill also allows for delayed notification if requested by law enforcement and updates notification methods to include electronic means.

Additionally, the bill imposes requirements for forensic examinations in the event of a massive breach, necessitating a third-party expert to prepare a report for the Attorney General within ninety days. Failure to comply with this requirement is classified as an unfair trade practice, subject to civil penalties of $100,000 for small businesses and $500,000 for larger entities. The bill also ensures that documents related to breach investigations are exempt from public disclosure, although the Attorney General may share them as needed. The act amends section 36a-701b of current law, replacing the previous subsection (k) with a new subsection (l), and is set to take effect on October 1, 2026.

Statutes affected:
Raised Bill: