← All US breach laws·CT

Connecticut data breach notification law

Connecticut's data breach notification requirements under Conn. Gen. Stat. §36a-701b. Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
Conn. Gen. Stat. §36a-701b
Enforcer
Connecticut Attorney General
AG notification
Required
Private right of action
No (AG-only enforcement)

Notification deadlines

Notify affected residents
Without unreasonable delay, but not later than 60 days after discovery of the breach
Notify the state regulator
Yes — written notice to the AG no later than the time consumers are notified
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide consumer reporting agencies

When is notification required?

Trigger / harm threshold
Notification not required if, after consultation with relevant federal/state law enforcement agencies, the breach will not likely result in harm
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Connecticut law

First name/initial + last name with SSN, DL/state ID, financial account + access code, taxpayer ID, IRS PIN, passport, military ID, health-insurance info, medical info, biometric data, OR username/email + password/security Q&A

Penalties and enforcement

$5,000 per violation under CUTPA + identity-theft prevention services required for at least 24 months (or 12 months without SSN) at no cost to affected residents
Enforced by: Connecticut Attorney General. Official regulator page →

Common pitfalls

Connecticut mandates 24 months of free credit monitoring/IDTP if SSN/taxpayer ID is breached — budget for this
AG notice must be filed at the same time as resident notice — not after

Frequently asked questions

How long do I have to notify Connecticut residents after a data breach?
Without unreasonable delay, but not later than 60 days after discovery of the breach
Do I have to notify the Connecticut Attorney General?
Yes — written notice to the AG no later than the time consumers are notified
Does Connecticut require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide consumer reporting agencies
Is encrypted data exempt from Connecticut's breach notification requirement?
Yes — Connecticut has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Connecticut residents sue me directly for a data breach?
No — Connecticut's breach statute does not provide a direct private right of action. Residents typically must rely on the AG to enforce, or pursue common-law negligence claims.
What counts as 'personal information' under Connecticut law?
First name/initial + last name with SSN, DL/state ID, financial account + access code, taxpayer ID, IRS PIN, passport, military ID, health-insurance info, medical info, biometric data, OR username/email + password/security Q&A
What are the penalties for failing to comply with Connecticut's breach notification law?
$5,000 per violation under CUTPA + identity-theft prevention services required for at least 24 months (or 12 months without SSN) at no cost to affected residents

Related state breach laws

California (CA)
Cal. Civ. Code §§1798.29
Colorado (CO)
Colo. Rev. Stat. §6-1-716
Delaware (DE)
6 Del. C. §§12B-101 to 12B-104
District of Columbia (DC)
D.C. Code §§28-3851 to 28-3853

Pre-empt the Connecticut breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Connecticut's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit