Raised Bill No. 137 Summary

• Reduces the notification timeline for data privacy breaches from 90 days to 30 days after discovery, unless a shorter period is required by federal law.

• Expands the definition of "personal information" to include medical information, health insurance policy numbers, and biometric information (such as fingerprints, voice prints, and iris images).

• Requires entities that experience breaches to offer affected residents at least 24 months of identity theft prevention and mitigation services at no cost, along with information on placing credit freezes.

• Mandates that notice of login credential breaches cannot be delivered exclusively through the affected online account but must use alternative notification methods.

• Makes the requirement to notify the Connecticut Attorney General concurrent with resident notification, and classifies failure to comply as an unfair trade practice enforceable by the Attorney General.