New Connecticut Privacy Law Makes Path to Compliance More Complex

Connecticut
became
the
fifth
state
to
pass
a
consumer
data
privacy
law
with
the
signing
of

New Connecticut Privacy Law Makes Path to Compliance More Complex

Connecticut
became
the
fifth
state
to
pass
a
consumer
data
privacy
law
with
the
signing
of

SB
6
,
titled
“An
Act
Concerning
Personal
Data
Privacy
and
Online
Monitoring.”
The
law,
which
goes
into
effect
July
1,
2023,
is
similar
to
privacy
laws
in
Virginia,
Colorado,
and
Utah,
but
it
falls
short
of
some
of
the
provisions
and
protections
in
California’s
California
Consumer
Privacy
Act
(CCPA)
and
its
update,
the
California
Privacy
Rights
Act
(CPRA).

This
latest
state
law
on
privacy
further
intensifies
the
pressure
on
corporate
compliance
departments
to
attempt
to
address
the
increasingly
difficult
task
of
meeting
the
reporting
and
coverage
requirements
of
various
privacy
laws,
and
it
puts pressure
on
the
federal
government
to
come
up
with
a
national
law
that
clarifies
consumer
privacy
rights,
says
Lisa
Sotto,
partner
and
chair
of
the
privacy
and
cybersecurity
practice
at
Hunton
Andrews
Kurth
LLP,
a
Richmond,
Va.-based
law
firm.

“It’s
completely
insane
complying
with
all
of
these
[privacy]
laws;
it’s
virtually
impossible,”
she
says.
There
is
no
“highest
common
denominator”
that
permits
organizations
to
comply
with
a
given
set
of
privacy
regulations
to
ensure
compliance
with
all
of
them. 

“It’s
a
mess,”
Sotto
says.

While
all
of
the
privacy
laws
have
a
lot
in
common,
no
two
are
identical.
When
you
layer
additional
laws

such
as
those
directed
at
privacy
related
to
minors,
healthcare,
financial
services,
and
other
areas

on
top
of
the
five
statewide
laws,
the
matrix
of
compliance
requirements
becomes
unwieldy.

Ever-Growing
Thicket
of
Privacy
Laws

Currently
there
is
no
national
privacy
law
in
the
United
States,
but
there
is
a
patchwork
of
laws
at
the
national
and
state
levels
that
address
varying
areas
of
privacy.
Among
the
federal
laws
are
the

Gramm-Leach-Bliley
Act

(GLBA),
the

Privacy
Act
of
1974
,
the

Fair
Credit
Reporting
Act
,
the

Family
Educational
Rights
and
Privacy
Act
,
the

Health
Insurance
Portability
and
Accountability
Act

(HIPAA),
and
the

Health
Information
Technology
for
Economic
and
Clinical
Health
Act

(HITECH).

There
are
also
industry
rules,
such
as
the
Payment
Card
Industry
Data
Security
Standard
(PCI
DSS
),
that
dictate
how
companies
should
handle
consumer
privacy.
Sometimes
laws
and
industry
rules
are
in
direct
conflict,
such
as
when
a
data
breach
needs
to
be
reported
and
to
whom,
forcing
companies
to
choose
which
regulations
to
follow.

Add
to
those
state
and
local
laws,
such
as
the
New
York
State

Personal
Privacy
Protection
Law
,
as
well
as
international
laws,
such
as
the
European
Union’s

General
Data
Protection
Regulation
 (GDPR)

which
holds
individuals
across
the
globe
liable
for
mishandling
the
personally
identifiable
information
(PII)
of
EU
citizens

and
compliance
becomes
unmanageable.

One
huge
challenge
companies
face
when
trying
to
manage
compliance
is
determining
exactly
what
the
laws
require
and
how
they
define
privacy,
which
is
open
to
interpretation.
Forrester
analyst
Stephanie
Liu
says
the

Colorado
law
,
for
example,
does
not
permit
the
sale
of
personal
information

for
“valuable
consideration.”

It
explicitly
does
not
say
selling
only
for
cash
but
rather
anything
of
value.

However,
Liu
says,
she
has
“talked
to
a
couple
of
data
brokers
who
said
that
they
do
not
sell
data.
If
a
data
broker
is
making
that
argument,
then
you’ve
got
a
loophole
there.”

Comparing
the
Utah,
Colorado,
Virginia,
and
Connecticut
laws,
the
“definition
of
sale”
is
where
they
tend
to
differ,
Liu
says.
“It’s
a
huge
headache,”
she
adds.

Exactly
the
Same,
Only
Different

While
the
Connecticut
law
specifically
talks
about
guarding
consumers’
privacy
rights
from
those
who
sell
products
directly
to
the
state’s
citizens,
not
all
privacy
rights
are
covered
by
the
law.
Insurance,
for
example,
is
a
huge
part
of
the
state’s
economy,
but
insurance
companies
are
not
covered
by
this
new
law.
Instead,
says
Sotto,
those
companies
are
covered
by
the
federal
GLBA
regulations.

Boards
of
directors
have
a
fiduciary
duty
of
oversight
when
it
comes
to
cyber,
she
says,
and
that
is
forcing
them
to
take
a
much
closer
look
at
privacy
as
well.
Boards
are
taking
a
much
more
personal
interest
in
privacy
and
compliance,
especially
now
that
recent
laws
can
hold
board
members
personally
liable
if
a
company
is
breached
or
if
PII
is
stolen
and
made
public.

Protecting
personal
privacy
could
have
an
impact
on
cyber
insurance
rates
as
well.
Ransomware
attacks
that
steal
PII
and
threaten
to
make
it
public
are
very
common
today,
and
cyber
insurance
policies
often
include
coverage
for
paying
those
ransom
demands.

For
cyber
insurance
carriers,
notes
Forrester
senior
analyst
Jess
Burn,
that
means
very
high
legal
costs
are
included
under
the
premiums.
Companies
that
are
breached
“need
to

work
with
their
outside
counsel

on
data
breach
notifications
for
every
single
affected
state,”
Burns
says.
“In
addition,
if
it’s
a
B2C
company,
[you
have]
consumer
notifications,
credit
monitoring,
and
all
of
those
different
fees
that
come
along
with
it.
Oh,
and
then
the
fines
are
going
to
come
in
as
well.”

Not
every
privacy
issue
is
addressed
in
privacy
legislation,
and
not
all
non-PII
is
addressed
directly
in
state
privacy
laws.
Data
that
might
contain
personal
data
about
investors,
for
example,
is
often
addressed
under
other
legislation
that
is
not
privacy-specific.
The
Fair
Credit
Reporting
Act,
for
example,
covers
some
consumer
privacy
issues
that
overlap
the
state
privacy
laws,
as
do
HIPAA
and
other
healthcare
legislation,
but
these
do
not
necessarily
contradict
other
laws.

“Connecticut
exempts
employee
data
from
its
law
entirely,”
Burn
says.
“That’s
another
area
where
it’s
interesting
to
see
[that]
sort
of
the
uncertainty,
if
we’re
being
honest
about
how
states
are
approaching
it.”

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.