Two data-security-related measures that failed to gain approval in the regular session (originally contained in SB 315 and SB 353)were adopted as part of legislation adopted in the special session.

One measure provides that, if and when a business experiences a material data breach, it will have to notify the state attorney general, in addition to the company’s current notification obligations.  

This is one of the steps that will be taken by the office of the attorney general to improve consumer protections.

All things considered, the threshold or trigger of harm requiring notice remains reasonable. There's no requirement that the attorney general, or the consumers impacted, be notified of all data breaches.

Companies with a data breach may initially investigate and make an internal determination as to whether the breach was material and notification is therefore necessary. Under the legislation, companies do not have to notify the attorney general prior to their notifying their customers.

Another measure restricts the data collection of certain consumer identifying information such as Social Security numbers, except for some businesses, such as health insurance companies, for which the data is critically necessary.

There will be greater restrictions on businesses seeking to use Social Security numbers, but the new standard does permit businesses that need them for valid reasons specified by the legislation, to request and use them.

For more information, contact CBIA’s Kia Murrell at 860.244.1931 or kia.murrell@cbia.com.