The text below has been excerpted from the website of the Attorney General and provides information of relevance to merchants. The entire document may be found at https://portal.ct.gov/AG/General/Report-a-Breach-of-Security-Involving-Computerized-Data.
Pursuant to Connecticut General Statutes § 36a-701b, anyone who conducts business in Connecticut and who– in the ordinary course of business– owns, licenses or maintains computerized data that includes personal information is required to disclose a security breach to state residents whose personal information is believed to have been compromised. Notice to consumers must be made without unreasonable delay but not later than ninety days from discovery of the breach.
Additionally, business owners must notify the Office of the Attorney General no later than when the affected residents are notified. Failure to provide such notice may be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA).
Please note that, effective October 1, 2018, the required minimum length of credit monitoring is now twenty-four months. See Conn. Gen. Stat. § 36a-701(b)(2)(B).
Posted 2019-05-04.