On June 4, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-90 “An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies” (P.A. 18-90).  This bill makes several revisions to Connecticut laws concerning identity theft, most notably by newly prohibiting credit reporting agencies from charging fees for consumers to place or remove security freezes. This law takes effect on October 1, 2018.

 Under P.A. 18-90, a credit rating agency cannot charge a consumer a fee to place, remove, or temporarily lift a security freeze on a consumer’s credit report for a period of time, or for a specific party. Previously, credit rating agencies were permitted to charge certain consumers up to $10 to place, remove, or temporarily lift a credit security freeze for a period of time, and up to $12 to temporarily lift a credit security freeze for a specific party. Currently, a credit rating agency is required to place a security freeze on a consumer’s credit report within five business days of a consumer’s request, and to remove a security freeze on a consumer’s credit report within three business days (except where the consumer is a minor child). P.A. 18-90 revises current law to obligate credit rating agencies to take such actions “as soon as practicable” and not later than the current deadlines. Connecticut law defines a “security freeze” in pertinent part as a notice placed in a consumer’s credit report at the request of the consumer that prohibits a credit rating agency from releasing the consumer’s credit report, or any information from it, without the consumer’s express authorization.

P.A. 18-90 also prohibits a credit rating agency from requiring a consumer to enter into an agreement limiting any claims the consumer may have against the credit rating agency as a condition of placing a security freeze, and prohibits credit rating agencies from charging fees to consumers for personal identification numbers. This legislation further makes a minor change to the procedures by which a consumer can request that a credit rating agency lift or remove a security freeze on a credit report. Whereas previously the law permitted communication by electronic mail, letter or facsimile, now the law allows communication by electronic means, letter or facsimile.

P.A. 18-90 makes an important change to Connecticut’s data breach law by revising the definition of “personal information” that may be the subject of a reportable “breach of security” thereunder.  A “breach of security” is defined as unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by another method or technology that renders the personal information unreadable or unusable. Conn. Gen. Stat. § 36a-701b currently defines “personal information” as an individual’s first name or first initial and last name combined with one of the following data points: (1) a Social Security Number, (2) driver’s license number or state identification card, or (3) an account number, credit or debit card number, in combination with any required security code, access code or password that would enable access to an individual’s financial account. This legislation makes a credit or debit card number a stand-alone category which, when combined with an individual’s first name or initial and last name, constitutes protected “personal information” under Connecticut law.  P.A. 18-90 further establishes a separate category under which an individual’s financial account number, in combination with any required security code, access code or password that would enable access to an individual’s financial account, constitutes “personal information” when combined with the individual’s first name or initial and last name. As a result of this legislation, exposure of a person’s debit card listing the individual’s name and card number will likely constitute a breach of security even without a corresponding personal identification code.

Under current law, businesses must provide free identity theft protection services and identity theft mitigation services to consumers whose social security number has been or is reasonably believed to have been breached. This legislation increases, from 12 to 24 months, the period of time that such services must be offered to affected consumers at no cost.

Finally, this legislation authorizes the Banking Commissioner to adopt regulations that require credit rating agencies to provide the Commissioner with points of contact to be used by the Department of Banking to assist consumers in the event of a data breach.