Connecticut's attorney general wants "the tea" on your data breaches – even if it means taking matters into their own hands. Connecticut lawmakers recently brewed amendments to Connecticut's data breach notification statute, which create a first-of-its-kind data breach reporting obligation for entities. Under the proposed framework, any entity experiencing a "massive breach of security" – newly defined as involving the personal information of more than 100,000 Connecticut residents – must retain an experienced forensic firm and submit a detailed forensic report to the Connecticut attorney general within 90 days following the discovery of the massive breach of security. If the entity fails to do so, the Connecticut attorney general may directly engage a firm and require the entity to cover the costs, with noncompliance carrying a civil penalty of up to $500,000 ($100,000 for small businesses).
While the proposed amendments note that the forensic reports provided to the attorney general in compliance with the statute will be exempt from public disclosure, the attorney general may provide the forensic report to third parties in furtherance of an investigation of a breach of security. This approach infuses elements of the payment card industry's PCI Forensic Investigation model, but it lacks the protection that exists for banks with federal oversight, where sharing forensic reports with their primary regulator does not waive privilege. Ultimately, if these amendments pass as written, they could allow people to argue that privilege was waived if an entity feels compelled to share with the Connecticut attorney general a report that was prepared in connection with a privileged forensic investigation. If those arguments are successful, entities risk reducing their control over the information that is produced in data breach litigation and regulatory investigations. One solution for entities could be to engage two forensic investigation firms – one privileged and one not, a model used in the payment card industry. The firm that was not engaged under privilege would draft the report to be provided to the Connecticut attorney general. While this solution could be helpful in allowing entities to comply with reporting obligations and providing defenses to allegations of privilege waiver, the feasibility of this solution will likely boil down to whether the entity has the funds to engage two firms instead of just one.
Next, the bill must be voted on by Connecticut's General Law Committee before it can move to the Senate or House floor. While the bill steeps, entities should interpret the proposed amendments as a signal for more regulatory attention on cybersecurity and data breaches ahead. As always, entities should focus on enhancing data security protections and developing a more mature compliance program. Conducting risk assessments and tabletop exercises, developing incident response plans, and pre-vetting incident response vendors are great ways to start strengthening an entity's cybersecurity and compliance framework.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
