By: Holly K. Towle
On June 30, 2015, Connecticut’s governor signed into law an amendment to the state’s data-security-breach-notice statute to mandate “appropriate” identity theft prevention services for breaches involving social security numbers. Identity theft mitigation services are also required “if applicable” (e.g., if identify theft actually occurs). The services must be provided at no cost and for at least 12 months. The statute does not explain which identity theft “prevention” or “mitigation” services are mandated or which are “appropriate.”
That failing is a material problem for businesses covered by the statute. It may also be a compliance problem given the significant differences and options among “identity theft” service offerings and costs. The statute’s blanket approach also makes unfortunate assumptions about the nature of data breaches. In reality, data breaches usually involve two victims, the business suffering the breach and the individual’s whose data was breached. This is easiest to see when a criminal is the cause of the breach (e.g., a criminal steals the safe or invades the system). Especially for businesses maintaining reasonable security, a statute that automatically assigns all responsibility to one of the victims may create policy or legal issues.
Connecticut seems to be the first state to mandate identity theft prevention or mitigation services. In 2014, media reports claimed California was the first, but California’s 2014 amendment avoided the above issues by not, in fact, mandating services. The California amendment says that if services are provided for a breach involving an SSN, driver’s license number or CA identification card number, the required breach notice must disclose how the notice recipient may enroll for any offered services. The Connecticut statute requires a similar disclosure but goes further by mandating services. Whether that is a step too far remains to be seen.
The Connecticut provision is part of larger legislation, Public Act No. 15-142, imposing an array of data-security-related obligations such as on contractors for state agencies and on health insurers and health-related companies. The identity theft services mandate takes effect October 1, 2015.