Montana and Connecticut Amend Data Breach Notification Statutes

In a continued trend of states extending their data breach laws to better protect residents, Montana and Connecticut passed legislation earlier this year that went into effect October 1, 2015. Both Montana’s H.B. 74 and Connecticut’s S.B. 949 increase the stringency of data breach notification obligations for businesses that own, license, or maintain computerized data that includes personally identifiable information (PII). Montana and Connecticut are two of the most recent states to pass or modify such legislation (see recent changes in Wyoming as well), which to date extends to nearly all U.S. states and territories.

Connecticut Senate Bill 949, which amends § 36a-701b of the Connecticut General Statutes, changes the breach notification timeline for affected individuals and adds identity theft services.

Key changes include:

• Companies must notify affected residents without unreasonable delay, but not later than ninety calendar days after discovery of the breach (formerly did not include the ninety-day stipulation).
• When a breach involves a Connecticut resident’s Social Security number, companies must offer free identify theft prevention and mitigation services for a period of not less than one year.
• Notification must include details on how to enroll in free prevention services, and provide information on how residents can place a freeze on their credit file.

Montana House Bill 74, which amends § 30-14-1704 and § 33-9-321 of the Montana Code Annotated, expands the definition of PII and adds a requirement to notify the Attorney General's Office of Consumer Protection.

Key changes include:

• Regulated personal information now includes medical record information, taxpayer identification numbers, and identity protection personal identification number issued by the Internal Revenue Service.
• Entities who are required to provide notification to affected individuals must now also submit an electronic copy of the notice along with the number of in-state individuals affected to the attorney general. Additionally, insurance licensees or insurance-support organizations who are required to notify affected individuals must also notify the Commissioner of Insurance and Securities.

RADAR, an award-winning, patented SaaS solution for incident response management, incorporates current federal and state regulations into its patented incident assessment and guidance engine to help organizations comply with complex data breach regulations. RADAR released support for the changes in Montana and Connecticut as well as updated content in its new dedicated Law Overviews resource.

Special thanks to Kelly Burg, Regulatory Content Product Manager, for her contributions to this post.