Read the full stored bill text
LCO 1 of 9
General Assembly Substitute Bill No. 117
February Session, 2026
AN ACT CONCERNING BREACHES OF SECURITY INVOLVING
ELECTRONIC PERSONAL INFORMATION.
Be it enacted by the Senate and House of Representatives in General
Assembly convened:
Section 1. Section 36a-701b of the general statutes is repealed and the 1
following is substituted in lieu thereof (Effective October 1, 2026): 2
(a) For purposes of this section: [,] 3
(1) ["breach of security" ] "Breach of security" means unauthorized 4
access to , or unauthorized acquisition of , electronic files, media, 5
databases or computerized data [,] containing personal information 6
when access to the personal information has not been secured by 7
encryption or by any other method or technology that renders the 8
personal information unreadable or unusable; [and (2) "personal 9
information"] 10
(2) "Massive breach of security" means a breach of security where (A) 11
the personal information of at least one hundred thousand residents of 12
this state has been breached or is likely to have been breached, and (B) 13
the breach of security occurred due to any unauthorized access to, or 14
any unauthorized use of, a computer or computer network; and 15
(3) "Personal information" means an individual's (A) first name or 16
first initial and last name in combination with any one, or more, of the 17
Substitute Bill No. 117
LCO 2 of 9
following data: (i) Social Security number; (ii) taxpayer identification 18
number; (iii) identity protection personal identification number issued 19
by the Internal Revenue Service; (iv) driver's license number, state 20
identification card number, passport number, military identification 21
number or other identification number issued by the government that is 22
commonly used to verify identity; (v) credit or debit card number; (vi) 23
financial account number in combination with any required security 24
code, access code or password that would permit access to such 25
financial account; (vii) medical information regarding an individual's 26
medical history, mental or physical condition [,] or medical treatment or 27
diagnosis by a health care professional; (viii) health insurance policy 28
number or subscriber identification number, or any unique identifier 29
used by a health insurer to identify the individual; (ix) biometric 30
information consisting of data generated by electronic measurements of 31
an individual's unique physical characteristics used to authenticate or 32
ascertain the individual's identity, such as a fingerprint, voice print [,] 33
or retina or iris image; or (x) precise geolocation data, as defined in 34
section 42 -515; or (B) user name or electronic mail address, in 35
combination with a password or security question and answer that 36
would permit access to an online account. "Personal information" does 37
not include publicly available information that is lawfully made 38
available to the general public from federal, state or local government 39
records or widely distributed media. 40
(b) (1) Any person who owns, licenses or maintains computerized 41
data that includes personal information [,] shall provide notice of any 42
breach of security, following the discovery of the breach, to any resident 43
of this state whose personal information was breached or is reasonably 44
believed to have been breached. Such notice shall be made without 45
unreasonable delay but not later than sixty days after the discovery of 46
such breach, unless a shorter time is required under federal law, subject 47
to the provisions of subsection (d) of this section. If the person identifies 48
additional residents of this state whose personal information was 49
breached or reasonably believed to have been breached following sixty 50
days after the discovery of such breach, the person shall proceed in good 51
Substitute Bill No. 117
LCO 3 of 9
faith to notify such additional residents as expediently as possible. Such 52
notification shall not be required if, after an appropriate investigation , 53
the person reasonably determines that the breach will not likely result 54
in harm to the individuals whose personal information has been 55
acquired or accessed. 56
(2) If notice of a breach of security is required by subdivision (1) of 57
this subsection: 58
(A) The person who owns, licenses or maintains the computerized 59
data that includes the personal information [,] shall, not later than the 60
time when notice is provided to the resident, also provide notice of the 61
breach of security to the Attorney General in a form and manner 62
prescribed by the Attorney General; and 63
(B) The person who owns or licenses the computerized data that 64
includes the personal information [,] shall offer to each resident whose 65
personal information under clause (i) or (ii) of subparagraph (A) of 66
subdivision [(2)] (3) of subsection (a) of this section was breached , or is 67
reasonably believed to have been breached, appropriate identity theft 68
prevention services and, if applicable, identity theft mitigation services. 69
Such [service or] services shall be provided at no cost to such resident 70
for a period of not less than two years. Such person shall provide all 71
information necessary for such resident to enroll in such [service or ] 72
services and shall include information on how such resident can place a 73
credit freeze on such resident's credit file. 74
(c) Any person [that] who maintains computerized data that includes 75
personal information that the person does not own shall notify the 76
owner or licensee of the personal information of any breach of the 77
security of the data immediately following its discovery, if the personal 78
information of a resident of this state was breached or is reasonably 79
believed to have been breached. 80
(d) Any notification required by this section shall be delayed for a 81
reasonable period of time if a law enforcement agency determines that 82
the notification will impede a criminal investigation and such law 83
Substitute Bill No. 117
LCO 4 of 9
enforcement agency has made a request that [the] such notification be 84
delayed. Any such delayed notification shall be made after such law 85
enforcement agency determines that notification will not compromise 86
the criminal investigation and so notifies the person of such 87
determination. In the case of a massive breach of security, the 88
performance of a forensic examination and analysis by a third party as 89
required under subsection (i) of this section shall also be delayed if a law 90
enforcement agency determines that the performance of such 91
examination and analysis will impede a criminal investigation and such 92
law enforcement agency has made a request that performance of such 93
examination and analysis be delayed. Any such delayed examination 94
and analysis shall be performed after such law enforcement agency 95
determines that performance of such examination and analysis will not 96
compromise the criminal investigation and so notifies the person of such 97
determination. 98
(e) Any notice to a resident, owner or licensee required by the 99
provisions of this section may be provided by one of the following 100
methods, subject to the provisions of subsection (f) of this section: (1) 101
Written notice; (2) telephone notice; (3) electronic notice, provided such 102
notice is consistent with the provisions regarding electronic records and 103
signatures set forth in 15 USC 7001, [;] as amended from time to time; or 104
(4) substitute notice, provided such person demonstrates in the notice 105
provided to the Attorney General that the cost of providing notice in 106
accordance with subdivision (1), (2) or (3) of this subsection would 107
exceed two hundred fifty thousand dollars, that the affected class of 108
subject persons to be notified exceeds five hundred thousand persons or 109
that the person does not have sufficient contact information. Substitute 110
notice shall consist of the following: (A) Electronic mail notice when the 111
person has an electronic mail address for the affected persons; (B) 112
conspicuous posting of the notice on the web site of the person if the 113
person maintains one; and (C) notification to major state -wide media, 114
including, but not limited to, newspapers, radio and television. 115
(f) (1) In the event of a breach of login credentials under 116
subparagraph (B) of subdivision [(2)] (3) of subsection (a) of this section, 117
Substitute Bill No. 117
LCO 5 of 9
notice to a resident may be provided in an electronic or other form that 118
directs the resident whose personal information was breached , or is 119
reasonably believed to have been breached , to promptly change any 120
password or security question and answer, as applicable, or to take 121
other appropriate steps to protect the affected online account and all 122
other online accounts for which the resident uses the same user name or 123
electronic mail address and password or security question and answer. 124
(2) Any person [that] who furnishes an electronic mail account shall 125
not [comply] be deemed to have complied with this section [by 126
providing] if such person provides notification to the electronic mail 127
account that was breached , or is reasonably believed to have been 128
breached, [if the person ] and cannot reasonably verify the affected 129
resident's receipt of such notification. In such an event, the person shall 130
provide notice by another method described in this section or by clear 131
and conspicuous notice delivered to the affected resident online when 132
the affected resident is connected to the online account from an Internet 133
protocol address or online location from which the person knows the 134
affected resident customarily accesses the account. 135
(g) Any person [that] who maintains such person's own security 136
breach procedures as part of an information security policy for the 137
treatment of personal information , and otherwise complies with the 138
timing requirements of this section, shall be deemed to be in compliance 139
with the security breach notification requirements of this section, 140
provided such person notifies, as applicable, residents of this state, 141
owners and licensees in accordance with such person's policies in the 142
event of a breach of security and, in the case of notice to a resident, such 143
person also notifies the Attorney General , in a form and manner 144
prescribed by the Attorney General, not later than the time when notice 145
is provided to the resident. Any person [that] who maintains such a 146
security breach procedure pursuant to the rules, regulations, procedures 147
or guidelines established by the primary or functional regulator, as 148
defined in 15 USC 6809(2), as amended from time to time, shall be 149
deemed to be in compliance with the security breach notification 150
requirements of this section, provided (1) such person notifies, as 151
Substitute Bill No. 117
LCO 6 of 9
applicable, such residents of this state, owners [,] and licensees required 152
to be notified under , and in accordance with , the policies or the rules, 153
regulations, procedures or guidelines established by the primary or 154
functional regulator in the event of a breach of security, and (2) if notice 155
is given to a resident of this state in accordance with subdivision (1) of 156
this subsection regarding a breach of security, such person also notifies 157
the Attorney General, in a form and manner prescribed by the Attorney 158
General, not later than the time when notice is provided to the resident. 159
(h) Any person [that] who is subject to, and in compliance with, the 160
privacy and security standards under the Health Insurance Portability 161
and Accountability Act of 1996 and the Health Information Technology 162
for Economic and Clinical Health Act ("HITECH"), as either of said acts 163
may be amended from time to time, shall be deemed to be in compliance 164
with this section, provided [that] (1) any person required to provide 165
notification to Connecticut residents pursuant to HITECH shall also 166
provide notice to the Attorney General , in a form and manner 167
prescribed by the Attorney General, not later than the time when notice 168
is provided to such residents if notification to the Attorney General 169
would otherwise be required under subparagraph (A) of subdivision (2) 170
of subsection (b) of this section, and (2) the person otherwise complies 171
with the requirements of subparagraph (B) of subdivision (2) of 172
subsection (b) of this section. 173
(i) (1) Notwithstanding the provisions of subsections (g) and (h) of 174
this section, any person who owns, licenses or maintains computerized 175
data that includes personal information shall, subject to the provisions 176
of subsection (d) of this section, (A) immediately following the 177
discovery of any unauthorized access to, or any unauthorized use of, a 178
computer or computer network that will likely result in a massive 179
breach of security, retain a third party who has experience performing 180
forensic examinations and analyses of computers or computer networks 181
to (i) perform a forensic examination and analysis of the computer or 182
computer network that was the subject of such unauthorized access or 183
use, and (ii) prepare a detailed forensic report disclosing, at a minimum, 184
(I) the results of the forensic examination and analysis, and (II) how such 185
Substitute Bill No. 117
LCO 7 of 9
unauthorized access or use occurred, as well as the root causes of such 186
unauthorized access or use, to the extent the forensic examination and 187
analysis revealed such information, and (B) not later than sixty days 188
following the discovery of any unauthorized access to, or any 189
unauthorized use of, a computer or computer network that will likely 190
result in a massive breach of security, submit to the Attorney General, 191
in a form and manner prescribed by the Attorney General, a reasonable 192
timeline to (i) prepare the detailed forensic report, and (ii) submit such 193
report to the Attorney General upon request by the Attorney General. 194
(2) If any person fails to submit a detailed forensic report to the 195
Attorney General, upon request by the Attorney General and in a form 196
and manner prescribed by the Attorney General, the Attorney General 197
may retain a third party who has experience performing forensic 198
examinations and analyses of computers or computer networks to (A) 199
perform a forensic examination and analysis pursuant to subparagraph 200
(A)(i) of subdivision (1) of this subsection, and (B) prepare and submit 201
the detailed forensic report to the Attorney General in accordance with 202
the provisions of subdivision (1) of this subsection. 203
(3) Any person who retains a third party to perform a forensic 204
examination and analysis and prepare a detailed forensic report for 205
submission to the Attorney General pursuant to subdivision (1) of this 206
subsection, or who fails to submit a detailed forensic report to the 207
Attorney General as set forth in subdivision (2) of this subsection, shall 208
bear the cost of the forensic examination and analysis performed, and of 209
the detailed forensic report submitted, pursuant to subdivision (1) or (2) 210
of this subsection, as applicable. 211
[(i)] (j) All documents, materials and information provided in 212
response to an investigative demand issued pursuant to subsection (c) 213
of section 42 -110d in connection with the investigation of a breach of 214
security, [as defined by this section ] and all forensic reports prepared 215
pursuant to subsection (i) of this section, shall be exempt from public 216
disclosure under subsection (a) of section 1 -210, provided the Attorney 217
General may make such documents, materials , [or] information or 218
Substitute Bill No. 117
LCO 8 of 9
forensic reports available to third parties in furtherance of such 219
investigation. To the extent any forensic report prepared pursuant to 220
subsection (i) of this section includes information subject to attorney -221
client privilege or work product protection, submission of such report 222
to the Attorney General shall not constitute a waiver of such privilege 223
or protection. 224
[(j)] (k) (1) Failure to comply with the requirements of this section 225
shall constitute an unfair trade practice for purposes of section 42 -110b 226
and shall be enforced by the Attorney General. 227
(2) In addition to any penalty imposed under chapter 735a, any 228
person who fails to submit a detailed forensic report to the Attorney 229
General, upon request by the Attorney General and in a form and 230
manner prescribed by the Attorney General, in accordance with the 231
provisions of subsection (i) of this section shall be subject to a civil 232
penalty in an amount not to exceed two hundred fifty thousand dollars. 233
In determining the amount of the civil penalty to be imposed on such 234
person, the court shall consider whether such person is (A) a small 235
business or micro business, as such terms are defined in section 32 -344, 236
or (B) a nonprofit employer that employs (i) not more than five hundred 237
employees, or (ii) fewer than fifty full-time employees. 238
[(k)] (l) Any civil penalties collected for failure to comply with the 239
requirements of this section may be deposited into the privacy 240
protection guaranty and enforcement account established pursuant to 241
section 42-472a. 242
This act shall take effect as follows and shall amend the following
sections:
Section 1 October 1, 2026 36a-701b
GL Joint Favorable Subst.
JUD Joint Favorable
Substitute Bill No. 117
LCO 9 of 9