CT SB00949

Requires state contractors handling confidential information (Social Security numbers, health records, financial accounts, biometric data, etc.) to implement comprehensive data security programs, including encryption, access controls, employee training, and breach notification procedures to the Attorney General within a proposed timeframe.

Prohibits contractors from storing confidential data on portable devices like flash drives or external hard drives except as approved, and bars copying or transmitting such data except as necessary for contracted services.

Establishes a data-sharing program under the Secretary of the Office of Policy and Management to link, analyze and share data across state executive agencies in response to queries, with strict security protocols and memoranda of agreement with participating agencies.

Requires health insurers, pharmacy benefits managers, and third-party administrators to implement comprehensive information security programs by October 1, 2017, with annual certification and specific safeguards for personal information.

Amends data breach notification law to require notification to Connecticut residents and the Attorney General within 90 days of discovery, and mandates companies offer identity theft prevention services at no cost for at least 12 months following a breach.