Connecticut Data Breach Notification Laws: Reporting Rules & Timelines (2026)
Connecticut has one of the more detailed data breach notification laws in the United States. Codified at Conn. Gen. Stat. 36a-701b, the law requires any person or business that owns, licenses, or maintains computerized data containing personal information to notify affected Connecticut residents and the state Attorney General after discovering a security breach.
The law has been amended several times since its original enactment in 2005, most recently expanding the definition of personal information to include precise geolocation data (effective October 1, 2023). A firm 60-day notification deadline, mandatory credit monitoring, and an encryption safe harbor make this one of the more prescriptive breach notification statutes in the country.
For a broader look at Connecticut's overall privacy framework, see the parent guide to [Connecticut Data Privacy Laws](/us-laws/data-privacy-laws/connecticut-data-privacy-laws).
Who Must Comply With the Law
The statute applies to any person who conducts business in Connecticut and owns, licenses, or maintains computerized data that includes personal information of Connecticut residents. This covers corporations, LLCs, sole proprietors, nonprofit organizations, and government agencies.
Third-party service providers that maintain data on behalf of another entity have a separate obligation. They must notify the data owner immediately upon discovering a breach so the data owner can fulfill its notification duties.
State contractors who handle confidential information from government agencies face additional requirements under a companion statute, Conn. Gen. Stat. 4e-70, which imposes minimum security standards and its own breach reporting obligations to both the contracting agency and the Attorney General.
What Qualifies as Personal Information
Connecticut defines personal information in two categories that trigger notification obligations.
Category 1: Name Plus Sensitive Data Element
An individual's first name or first initial and last name combined with any one or more of:
- Social Security number or taxpayer identification number
- IRS identity protection PIN
- Driver's license number, state ID number, passport number, military ID, or other government-issued identification commonly used to verify identity
- Credit or debit card number
- Financial account number in combination with any required security code, access code, or password
- Medical information, including any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis
- Health insurance policy number or subscriber identification number and any unique identifier used by a health insurer
- Biometric data generated by electronic measurements of an individual's unique physical characteristics, such as fingerprints, voiceprints, or retina and iris images
- Precise geolocation data (added October 1, 2023)
Category 2: Online Account Credentials
A username or email address combined with a password or security question and answer that would permit access to an online account. Name is not required for this category to trigger notification.
Exclusions
Publicly available information lawfully made available from federal, state, or local government records is excluded from the definition of personal information.
What Constitutes a Breach of Security
Under the statute, a "breach of security" means unauthorized access to or acquisition of electronic files, media, databases, or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.
This definition has two important features. First, it focuses on unauthorized access or acquisition rather than just acquisition alone. Second, it builds in the encryption safe harbor directly, meaning encrypted data that is breached does not trigger notification unless the encryption key was also compromised.
The 60-Day Notification Timeline
Connecticut imposes a hard 60-day deadline. Entities must provide notice to affected residents without unreasonable delay and not later than 60 days after discovery of the breach. If a shorter timeline applies under federal law, the federal requirement controls.
When the Clock Starts
The 60-day period begins at the moment the entity discovers the breach, not when it completes its investigation. This is stricter than states that start the clock after an investigation concludes.
Late-Discovered Victims
If additional affected residents are identified after the initial 60-day window, the entity must notify those individuals "as expediently as possible" in good faith. There is no specific secondary deadline, but the "as expediently as possible" standard has teeth under CUTPA enforcement.
Law Enforcement Delay
The notification deadline may be extended if a law enforcement agency determines that notification would impede a criminal investigation or jeopardize national security. The delay lasts only as long as law enforcement requests it.
Attorney General Notification
Every entity that discovers a breach must notify the Connecticut Attorney General no later than the time notice is provided to affected residents. There is no minimum number of affected individuals required to trigger AG notification. Even a breach affecting a single Connecticut resident requires AG notice.
The AG's office provides an online breach report submission form as the preferred method for reporting. After submission, the reporting entity receives a confirmation email followed by a case number in the format PR plus seven digits. Updates or supplements to a previously reported breach should be emailed to ag.breach@ct.gov with the case number.
Credit Monitoring and Identity Theft Services
Connecticut goes beyond basic notification by requiring affirmative identity protection services. When a breach involves Social Security numbers or taxpayer identification numbers, the breached entity must:
- Offer identity theft prevention services at no cost to the affected resident
- Offer identity theft mitigation services if applicable
- Provide these services for a minimum of 24 months
- Include information on how the resident can place a credit freeze on their credit file
This 24-month credit monitoring mandate is longer than what many states require. Several states impose 12-month minimums, and others leave it to the breached entity's discretion entirely.
How Notice Must Be Provided
The statute permits several methods of direct notice:
- Written notice sent to the individual's postal address
- Telephone notice delivered directly to the individual
- Electronic notice that complies with the federal E-SIGN Act (15 U.S.C. 7001 et seq.)
For breaches involving online account credentials (username/email plus password), the entity must direct the resident to change their password and security questions. If the breach involved the individual's email account, notification cannot be sent to that compromised email address. The entity must use another verified contact method instead.
Substitute Notice
Substitute notice is available when the cost of direct notification would exceed $250,000, the affected class exceeds 500,000 people, or the entity lacks sufficient contact information. Substitute notice requires all three of:
- Email notice to all affected individuals for whom the entity has an email address
- Conspicuous posting on the entity's website
- Notification to major statewide media outlets
Encryption Safe Harbor
Connecticut provides a clear encryption safe harbor. If the personal information involved in the breach was encrypted or secured by another method that renders it unreadable or unusable, the breach notification requirements do not apply. However, if the encryption key was also compromised in the breach, the safe harbor does not protect the entity, and notification is required.
HIPAA and Financial Institution Exemptions
The statute provides compliance exemptions for certain regulated entities:
- HIPAA-covered entities: Compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) satisfies Connecticut's breach notification requirements. However, the entity must still notify the Connecticut Attorney General no later than when it notifies affected residents and must offer identity theft protection services when SSNs are compromised.
- Financial institutions: Entities that comply with federal interagency guidance on response programs for unauthorized access to customer information (issued pursuant to the Gramm-Leach-Bliley Act) are deemed in compliance with the state statute, subject to the same AG notification and identity theft protection requirements.
Enforcement Under CUTPA
Failure to comply with any provision of 36a-701b constitutes an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA, Conn. Gen. Stat. 42-110a et seq.). This means the Attorney General can pursue:
- Civil penalties up to $5,000 per willful violation
- Injunctive relief ordering the entity to comply
- Restitution to affected consumers
- Disgorgement of profits gained through the violation
Civil penalties collected go into a privacy protection account administered by the Attorney General's office.
There is no private right of action under the breach notification statute. Individual consumers cannot sue directly for notification failures. Enforcement rests exclusively with the Attorney General.
Recent Enforcement Activity
The Connecticut Attorney General has actively enforced data security and privacy obligations. In 2025, the office finalized a $200,000 settlement with PharMerica over a breach affecting 105,000 Connecticut residents and a $200,000 settlement with WebTPA Employer Services. While these actions were brought under the broader CTDPA framework, they demonstrate the AG's willingness to pursue significant penalties for data security failures.
How This Law Interacts With the CTDPA
Connecticut's breach notification statute (36a-701b) and the Connecticut Data Privacy Act (CTDPA, Conn. Gen. Stat. 42-515 et seq.) are separate but complementary laws.
The breach notification statute governs what happens after a security incident. It tells entities when to notify, whom to notify, and what services to offer. The CTDPA governs ongoing data privacy obligations including consent requirements, consumer rights, data minimization, and data protection assessments.
A single data incident could trigger obligations under both laws. For example, a breach of biometric data would require notification under 36a-701b (because biometric data is personal information) and could also expose CTDPA violations if the entity lacked proper consent or security measures for that biometric data in the first place.
Proposed 2026 Amendments: Mandatory Forensic Reporting
Connecticut's 2026 legislative session introduced Senate Bill 117, which would amend 36a-701b to require mandatory forensic examination and reporting for large-scale breaches. Key provisions of the proposed bill include:
- A new category called a "massive breach of security" affecting 100,000 or more Connecticut residents
- Mandatory retention of a qualified third-party forensic examiner immediately upon discovery
- Submission of the forensic report to the Attorney General within 90 days of discovery
- If the entity fails to comply, the AG can hire a forensic firm directly and bill the entity
- Civil penalties up to $500,000 (or $100,000 for small businesses) on top of existing CUTPA penalties
As of March 2026, SB 117 has been referred to the General Law Committee and received a public hearing on February 18, 2026. If enacted with the proposed October 1, 2026 effective date, Connecticut would become the first state to mandate forensic reporting based on a numerical breach threshold.
More Connecticut Laws
- Connecticut Recording Laws
- Connecticut Data Privacy Laws
- Connecticut Whistleblower Laws
- Connecticut Recording Laws
- Connecticut Recording Laws
- Connecticut Hit and Run Laws
- Connecticut Child Support Laws
- Connecticut Recording Laws
Disclaimer
This article provides general legal information about Connecticut data breach notification requirements and is not legal advice. Laws and regulations change frequently, and their application varies based on specific circumstances. Consult a qualified attorney licensed in Connecticut for guidance on your particular situation.
Sources
- Conn. Gen. Stat. 36a-701b (Breach Notification)
- CT Attorney General: Reporting a Data Breach
- CT AG Data Breach Report Submission Form
- CT AG: Privacy and Data Security Department
- Conn. Gen. Stat. 4e-70 (State Contractor Requirements)
- CT AG 2025 CTDPA Enforcement Report
- SB 117 (2026): Mandatory Forensic Reporting Proposal
Sources and References
- Conn. Gen. Stat. 36a-701b(cga.ct.gov).gov
- CT AG: Reporting a Data Breach(portal.ct.gov).gov
- CT AG Data Breach Report Form(portal.ct.gov).gov
- CT AG: Privacy and Data Security(portal.ct.gov).gov
- Conn. Gen. Stat. 4e-70(cga.ct.gov).gov
- CT AG 2025 CTDPA Enforcement Report(portal.ct.gov).gov
- SB 117 (2026)(cga.ct.gov).gov