in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Connecticut Data Breach Law Updated: You Are Required To Notify State AG

Beginning on October 1, 2012, an update to Connecticut law requires firms that do business in the state to also notify the Attorney General of any reportable data breaches.  Of course, the law hasn't completely revamped all legislation concerning data breaches: reporting the loss of data is not required if the information has been properly protected with drive encryption software like AlertBoot, which combines both smartphone and tablet device protection with traditional hard disk encryption under one easy to use management console.

Companies that need to comply with the above requirement should keep this email address handy: ag.breach@ct.gov.  That's the email address specifically setup by the AG for reporting data breaches.

Minor Update to 36a-701b, CT's Data Breach Law

I noted a couple of years ago how CT's data breach law was a breath of fresh air.  As a layperson (read: non-lawyer), this was one piece of legislation that could be read by a child and made sense of.

However, it looks like there a little oversight over a particular matter.  From AG Jepsen in ct.gov:

"Existing state law directs my office [Office of the Attorney General, OAG] to enforce requirements that companies notify state residents whose personal information may be compromised by a data breach," said Attorney General Jepsen. "However, the law made no requirement that my office be notified, making enforcement difficult. That will change beginning October 1, and I want to ensure that the process for a business owner to report a data breach is as easy as possible."

Of course, you don't have to use the email address I've listed at the top of this post.  Any way of contacting the AG is valid, it appears.

(If I were you, I'd email and then follow up with a phone call to confirm receipt.  It happens rarely, but emails do sometimes end up in the netherworlds of networks.  And I'm not referring to a spam folder: it literally just disappears into the network, never to be found again).

An additional requirement is that "the attorney general also be notified no later than when the affected residents are notified."  Failure to do so is a violation of the Connecticut Unfair Trade Practices Act (CUTPA).

Why is CUTPA important?  Because it essentially determines what types of penalties a company faces for violating the data breach laws.  Connecticut's breach laws don't specifically mention any penalties; it just links them to CUTPA.

Interestingly enough, the Connecticut Insurance Commissioner (CIC) had/has much stricter policies.  In a post dated August 31, 2010 I noted that the CIC:

  • The use of encryption software [http://www.alertboot.com/disk_encryption/central_encryption_software_management.aspx ; managed computer disk encryption ] does not grant safe harbor from data breach notifications
  • The breach of paper records are also reportable
  • The breach must be reported within five calendar days from the discovery of the breach

It looks like the AG is playing catch-up to the Insurance Commissioner.  On the other hand, information pertaining to insurance companies tend to be highly sensitive in nature, so it makes sense that a particular subset of businesses operating out of Connecticut are more aggressively required to report their data breaches.


Related Articles and Sites:
http://www.ct.gov/ag/cwp/view.asp?Q=511084&A=2341
http://www.hartfordbusiness.com/apps/pbcs.dll/article?AID=/20120918/NEWS01/120919838
http://articles.courant.com/2012-09-18/business/hc-data-breach--20120918_1_breaches-privacy-task-force-report-data

 
<Previous Next>

HIPAA BYOD Security: Massachusetts Eye and Ear Infirmary Pays $1.5 Million To Settle PHI Breach

BYOD Security: Microsoft Hotmail Passwords Must Be 16 Characters Or Less

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.