DBN Statutes – Connecticut

Data Breach Notification Statutes – Connecticut

Last Updated: 02/28/2024

  • Applicable Statute: Conn. Gen. Stat. § 36a-701b
  • Attorney General Notice Required: Yes.
  • Consumer Notice Requirements:
    • Timing: Must be made without unreasonable delay but no later than 60 days after discovery of the breach, unless shorter time is required by federal law. If, following 60 days after the discovery of a breach, additional Connecticut residents are identified whose personal information was breached or reasonably believed to have been breached, notification must be made as expediently as possible.
    •  Content: If Social Security numbers or tax identification numbers were or are reasonably believed to have been breached, notice to affected residents must contain an offer of appropriate identity theft prevention services and, if applicable, identity theft mitigation services at no cost for a period of not less than 24 months. Must also provide all information necessary for affected residents to enroll in such services as well as on how to place a credit freeze on the affected resident’s credit file.
    •  If a resident’s username or email address, in combination with a password or security question and answer that would permit access to an online account was affected, notice must direct the resident to promptly change any password or security question and answer, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same username or email address and password or security question and answer.
    •  Method: Notice to an affected resident may be by written, telephonic, or electronic if consistent with the provisions regarding electronic records and signatures set forth in E-SIGN. Substitute notice may be available under certain circumstances.
    •  If a resident’s email account provided by the subject entity was breached or reasonably believed to have been breached, notice cannot be made to that same email address unless the subject entity can reasonably verify the affected resident’s receipt of such notice.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required