Connecticut Law Requires Safeguards for Personal Data and Social Security Number Policy

On June 10, 2008, Connecticut enacted a law which will require businesses that maintain personal information (e.g. Social Security number (SSN), driver’s license number, account number, or credit/debit card number), to, among other things:

1. Safeguard the personal information as well as the computer files and documents containing the information;
2. destroy or make unreadable information prior to disposal; and
3. create and publish a SSN privacy policy (if a company collects SSNs in the course of its business).

The policy must protect the SSNs from disclosure, prohibit unlawful disclosure of SSNs, and limit access to SSNs.

No distinction is made between information obtained from consumers or employees, and no standard of safeguards is stated.

This law is different from many other state SSN laws in that it requires that a company safeguard all personal information and not just the SSN.

Nevertheless, any company with employees or consumers in Connecticut will need to comply.

Civil penalties for violation of the order are $500 per violation, but shall not exceed $500,000 for any event.

The law goes into effect on October 1, 2008.

To discuss how this law may impact your data collection and security policies and procedures, please contact the Seyfarth Shaw attorney with whom you work.