On the heels of Vermont's recent amendment to its data
breach notification law (which we blogged about
here), Connecticut's legislature recently
amended its own data breach notification law (Conn. Gen. Stat.
§ 36a-701b). The amended law will take effect on October
While several of the changes to the law were non-substantive in
nature and more for the sake of clarification, the amended law does
impose what seems to be the new trend in data breach notification
obligations: the requirement to notify the state attorney
Under newly added subsection (b)(2) of the statute, companies
that are required to notify Connecticut residents of a data breach
must also notify the Attorney General of Connecticut no later than
the time when notice is provided to the residents (which, according
to subsection (b)(1), must be made without unreasonable delay,
subject only to delays resulting from law enforcement
investigations and a company-conducted investigation to determine
the nature and scope of the incident, identify the individuals
affected, or restore the reasonable integrity of the underlying
The National Institute of Standards and Technology has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations, and this marks a very important release in the world of data privacy controls and standards.
The obligations of hedge funds, investment managers and service providers to protect confidential information relating to investors and avoid breaches of data privacy legislation is increasingly in focus.
In a recently released decision from the U.S. District Court for the Southern District of Florida, Mais v. Gulf Coast Collection Bureau, et al., Judge Robert N. Scola, Jr., granted in part and denied in part cross motions for summary judgment in a putative class action before considering the issue of class certification.
The report also found that most utilities only comply with mandatory cybersecurity standards, and have not implemented voluntary NERC recommendations regarding general or specific threats (e.g., Stuxnet).