The bill is significant as it revises Chapter 36a of the general statutes, making it clear that any business which owns, licenses, or maintains computerized data that includes personal information must adhere to stringent notification requirements. Failure to comply with these requirements constitutes an unfair trade practice, thereby providing ground for enforcement by the Attorney General. The bill is seen as a response to increasing concerns around data security in a digital landscape, aiming to better protect residents' personal information through timely and effective notifications of breaches.
Summary
House Bill 05310, titled 'An Act Concerning Data Privacy Breaches', aims to amend existing statutes related to the notification process following data breaches that involve personal information. The bill introduces new definitions for terms such as 'breach of security' and 'personal information,' expanding the scope of what constitutes a data breach and the responsibilities of businesses regarding notification. Importantly, it establishes a requirement for entities that maintain such data to notify affected individuals and the Attorney General promptly following a breach. This notification must occur without unreasonable delay, shifting the deadline from the previous ninety days to sixty days after a breach is discovered.
Sentiment
Overall, the sentiment surrounding HB 05310 appears positive, reflecting a growing priority among stakeholders for increased data protection. There is general support for the bill, as proponents argue that it enhances consumer rights and trust in the management of personal data. However, there are concerns from some parties about implementation burden on businesses, particularly smaller entities that may lack the resources to comply swiftly with these new obligations. The push for enhanced consumer protection resonates well, though it raises discussions on balancing regulatory requirements and business capacities.
Contention
Notable points of contention include the reduction of notification timeframes and the requirement for businesses to provide identity theft prevention services at no cost to affected individuals for a minimum of twenty-four months. Critics argue that the reduced timeframe may place excessive pressure on organizations to comply quickly, potentially hindering thorough investigations of breaches before notifications are issued. Furthermore, the mandate for offering identity theft protection services has raised discussions on the financial implications for businesses that may not be prepared to absorb these costs.
Relating to appointment of and performance of notarial acts by an online notary public and online acknowledgment and proof of written instruments; authorizing a fee and creating a criminal offense.