CT SB00117

Creates new category of "massive breach of security" defined as breaches affecting at least 100,000 Connecticut residents that result from unauthorized use of a computer or computer network

Requires entities experiencing a massive breach to immediately retain a third-party forensic expert to examine the affected systems and prepare a detailed report on how the breach occurred and its root causes

Mandates submission of the forensic report to the Attorney General within 90 days of discovering a massive breach; if the entity fails to comply, the Attorney General may hire a forensic expert at the entity's expense

Imposes civil penalties of $100,000 for small businesses or $500,000 for non-small businesses that fail to submit the required forensic report to the Attorney General

Effective October 1, 2026, and amends existing breach notification law (Section 36a-701b) to require breach-related materials be submitted to the Attorney General in a prescribed form and manner