Connecticut Advances Bill to Strengthen Data Breach Accountability
Connecticut lawmakers have taken steps to expand the state’s data privacy laws with the passage of Senate Bill No. 117, which imposes stricter requirements on companies following a "massive breach of security." The bill, approved by the state Senate, mandates third-party forensic investigations for qualifying breaches and tightens reporting obligations to the Attorney General’s office.
Under the new legislation, a "massive breach" is defined as unauthorized access to electronic personal information affecting at least 100,000 Connecticut residents broadening the scope of incidents that trigger mandatory reporting. Companies must submit a breach report within 60 days of discovery or face civil penalties of up to $250,000, depending on business size. The bill also requires organizations to conduct independent forensic audits to determine the cause and extent of the breach.
Senator James Maroney, co-chair of the General Law Committee, emphasized that the bill closes gaps in existing law by ensuring thorough investigations into large-scale breaches. According to Maroney, of the over 2,300 data breaches reported in Connecticut last year, only seven would have met the new "massive breach" threshold.
The push for stricter regulations follows Attorney General William Tong’s call for stronger enforcement after the release of his office’s 2023 annual report. The Connecticut Data Privacy Act (CTDPA), enacted in 2022, already established baseline compliance standards, but the new bill aims to enhance accountability by ensuring timely disclosure and remediation.
The legislation reflects growing concerns over prolonged exposure of sensitive data, with Tong previously noting cases where breaches went unreported for over a year. The bill now awaits further legislative action.
Source: https://www.wshu.org/connecticut-news/2026-04-30/ct-data-privacy-laws-expansion
State of Connecticut - Office of the Governor cybersecurity rating report: https://www.rankiteo.com/company/state-of-connecticut-office-of-the-governor
"id": "STA1777588122",
"linkid": "state-of-connecticut-office-of-the-governor",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'data_breach': {'number_of_records_exposed': 'At least 100,000 Connecticut '
'residents',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': 'Electronic personal information'},
'description': 'Connecticut lawmakers have passed Senate Bill No. 117 to '
'expand the state’s data privacy laws, imposing stricter '
"requirements on companies following a 'massive breach of "
"security.' The bill mandates third-party forensic "
'investigations for qualifying breaches and tightens reporting '
'obligations to the Attorney General’s office.',
'impact': {'data_compromised': 'Electronic personal information of at least '
'100,000 Connecticut residents',
'identity_theft_risk': 'High (due to exposure of personal '
'information)',
'legal_liabilities': 'Civil penalties of up to $250,000 for '
'non-compliance'},
'lessons_learned': 'Gaps in existing data breach laws necessitate stricter '
'enforcement, timely disclosure, and independent forensic '
'audits to enhance accountability.',
'post_incident_analysis': {'corrective_actions': 'Implementation of stricter '
'reporting timelines, '
'mandatory forensic audits, '
'and enhanced regulatory '
'oversight.',
'root_causes': 'Prolonged exposure of sensitive '
'data due to delayed reporting and '
'insufficient breach '
'investigations.'},
'recommendations': 'Companies should proactively comply with the new '
'reporting requirements, conduct independent forensic '
'investigations, and ensure timely disclosure to avoid '
'penalties.',
'references': [{'source': 'Connecticut General Assembly'},
{'source': 'Attorney General William Tong’s 2023 annual '
'report'}],
'regulatory_compliance': {'fines_imposed': 'Up to $250,000 for non-compliance '
'with reporting requirements',
'regulatory_notifications': 'Mandatory reporting to '
'the Attorney General’s '
'office'},
'response': {'communication_strategy': 'Mandatory breach report submission to '
'the Attorney General’s office within '
'60 days',
'third_party_assistance': 'Mandatory third-party forensic '
'investigations for qualifying '
'breaches'},
'stakeholder_advisories': 'Companies must submit breach reports within 60 '
'days and conduct independent forensic audits for '
"'massive breaches.'",
'title': 'Connecticut Advances Bill to Strengthen Data Breach Accountability',
'type': 'Legislative Update'}