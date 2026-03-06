A new bill introduced in Connecticut—Connecticut Senate Bill 117, An Act Concerning Breaches of Security Involving Electronic Personal Information—would create mandatory forensic examination requirements for entities...

A new bill introduced in Connecticut—Connecticut Senate Bill 117, An Act Concerning Breaches of Security Involving Electronic Personal Information—would create mandatory forensic examination requirements for entities that experience a “massive breach of security,” defined as a data breach affecting at least 100,000 Connecticut residents, and imposes substantial penalties for noncompliance.

SB 117 would require entities that experience a “massive breach of security” to:

Immediately retain a qualified third-party forensic examiner to conduct a forensic examination of the computer or computer system that was the subject of the data breach and to prepare a detailed forensic report disclosing how the breach occurred and its root causes;

Submit the detailed forensic report to the Connecticut Attorney General within 90 days of discovering the breach; and

Face civil penalties of $100,000 for small businesses and $500,000 for other entities for noncompliance.

The entity that experiences a massive data breach bears the cost of the forensic examination and report, regardless of whether the entity retains a third party itself or fails to do so and the Connecticut Attorney General retains a forensic examiner on its behalf. SB 117 would grant the Connecticut Attorney General authority to retain a qualified third party to perform the forensic examination and prepare the forensic report if an entity fails to comply.

If enacted, Connecticut would be the first state to impose automatic forensic examination and forensic reporting requirements for incidents based on a numerical threshold. It also raises serious issues regarding disclosure of confidential and proprietary information and privileged information.

In any event, given the scale of the potential penalties and the mandatory nature of the new requirements, entities that collect, store, or process personal information of Connecticut residents should closely monitor SB 117's progress in the Assembly. If it passes, companies should establish protocols for engaging qualified third-party forensic examiners immediately upon discovery of a massive data breach and ensure their incident response plans accommodate the 90-day reporting deadline to the Connecticut Attorney General.

