Substitute House Bill No. 5210 establishes new data security requirements for financial institutions, including banks and credit unions, under the jurisdiction of the Department of Banking. The bill mandates these institutions to create written programs that outline standards for developing, implementing, and maintaining reasonable data security safeguards to protect customer information. It defines a "data security incident" as any unauthorized access, acquisition, destruction, or corruption of electronic files containing personal or sensitive business information. Institutions are required to notify the Department of Banking within three business days of any incident that could materially impact operations or involve unauthorized access to personal information.

The bill also introduces new legal language that broadens the definition of protected personal information, now including credit or debit card numbers, financial account numbers, medical history, biometric data, and precise geolocation data. It specifies that a person's username or email address, when combined with a password or security question and answer, is also considered sensitive. Additionally, the bill repeals Section 36a-44a and replaces it with updated definitions and requirements, ensuring compliance with the Gramm-Leach-Bliley Financial Modernization Act of 1999. The effective date for these new requirements is set for October 1, 2026, with the aim of enhancing consumer protection and safeguarding sensitive data against unauthorized access and breaches.

Statutes affected:
Raised Bill:
BA Joint Favorable Substitute:
File No. 133: