Doing business with Connecticut’s state government requires individuals, businesses and other entities to comply with numerous legal, regulatory and contractual requirements. Among these obligations are some of the nation’s most stringent state contractor data privacy and security requirements.
Shipman & Goodwin LLP’s Privacy and Data Protection Group has prepared this article to inform current and potential state contractors of Connecticut’s data privacy and security requirements and to answer the most commonly asked questions about applicable Connecticut law and compliance with it. This article also includes our recommendations for analyzing compliance under applicable Connecticut law and, if necessary, developing a plan to satisfy the pertinent legal requirements.
Connecticut’s data privacy and security requirements (the “Privacy Law”) apply to a wide range of contractors doing business with the State of Connecticut and implicate a very large number of individuals and businesses nationwide, including consultants, law firms, employee benefit administrators, educational institutions, and others providing professional, insurance, financial or supply chain goods and services. However, not every entity doing business with the state of Connecticut will find itself subject to the Privacy Law and each entity should conduct a careful review of its dealings with Connecticut to determine whether such dealings require compliance with the Privacy Law. We prepared the following questions to guide your initial review.
1. Which state contractors must comply with the Privacy Law?
The Privacy Law applies to any individual, business or other entity that is receiving “confidential information” from a state agency pursuant to a written agreement to provide goods or services to the state.
2. How does the Privacy Law define “confidential information?"
The Privacy Law defines “confidential information” very broadly and the definition includes much more information, and more types of information, than is often protected under data privacy and security laws. Accordingly, contractors should be cognizant that a large number of state contracts may be subject to the Privacy Law’s requirements.
The Privacy Law defines “confidential information” as: (i) a person's name, date of birth or mother's maiden name; (ii) any of the following numbers: driver's license, Social Security, employee identification, employer or taxpayer identification, alien registration, passport, health insurance identification, demand deposit or savings account, or credit or debit card; (iii) unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation; (iv) “personally identifiable information” and “protected health information,” as defined, respectively, by the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); and (v) any information that a state contracting agency identifies as confidential. “Confidential information” does not include information that may be lawfully obtained from public sources or federal, state or local government records lawfully made available to the public.
3. Does the law apply to contracts with all state agencies?
No, while the Privacy Law applies to nearly all state agencies, the Privacy Law does not apply to all state and quasi-state entities. The Privacy Law applies to individuals, businesses and other entities that have contracts with the following state departments and agencies, or sub-units thereof:
- Office of Policy and Management
- Administrative Services
- Revenue Services
- Children and Families
- Consumer Protection
- Economic and Community Development
- State Board of Education
- Emergency Services and Public Protection
- Energy and Environmental Protection
- Public Health
- Mental Health and Addiction Services
- Social Services
- Developmental Services
- Motor Vehicles
- Veterans’ Affairs
- Housing, Rehabilitation Services
- Early Childhood
- Military Affairs
4. I am with an out-of-state contractor. Does the Privacy Law apply to my business?
Yes, if you or your business is receiving “confidential information” from a state agency pursuant to a written agreement to provide goods or services to the state of Connecticut, the Privacy Law applies regardless of where you or your business is located.
Elements of a Privacy and Security Program
Contractors that are subject to the Privacy Law must comply with a host of data privacy and security requirements. The specific requirements will be set forth in the written agreement between the contractor and the state agency and will require, at a minimum, the contractor to:
- implement and maintain a “comprehensive data security program;"
- protect “confidential information” from being breached;
- limit access to “confidential information” to the contractor's authorized employees and agents as necessary for purposes of the contract;
- maintain all “confidential information” obtained from the state (i) in a secure server, (ii) on secure drives, (iii) behind firewalls and monitored by intrusion detection software, and (iv) in a manner where access is restricted to authorized employees and agents; and
- implement, maintain, and update security and breach investigation procedures.
The following are some of the most commonly asked questions about the elements of a data privacy and security program:
1. What does the state of Connecticut expect to be included in a “comprehensive data security program?"
A “comprehensive data security program” must be consistent with the requirements of applicable state and federal law, including Connecticut’s state contractor requirements. The program must also be consistent with any state agency policies or procedures regarding data privacy and security that apply to contractors.
While applicable law and agency policies may expand the scope of a contractor’s data security program, all contractors that receive “confidential information” from state agencies must include at least the following elements in their respective data security programs:
- secure computer and Internet user authentication protocols that include (i) control of user identifications and other identifiers, (ii) multifactor authentication, (iii) control of security passwords, (iv) restriction of access to only active users, and (v) the blocking of access after multiple unsuccessful attempts to gain access;
- secure access control measures that include (i) restriction of access to “confidential information” to only those individuals who require such data to perform their job duties, (ii) assignment of passwords that are not vendor-assigned default passwords and that require resetting not less than every 6 months, (iii) encryption of information while being transmitted on a public Internet network or wirelessly, (iv) encryption of information stored on a laptop computer or other portable device, (v) monitoring of contractor’s security systems for breaches of security, (vi) for information that is stored or accessible on a system that is connected to the Internet, reasonably up-to-date software security protection that can support updates and patches, and (vii) employee education and training on the proper use of security systems and the importance of the security of “confidential information;"
- designation of one or more employees to oversee the contractor’s security program;
- identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, or integrity of any electronic, paper, or other records that contain “confidential information;"
- development of employee security policies and procedures for the storage of, access to, transport of, and transmittal of information off-premises;
- imposition of disciplinary measures on employees for violating security policies or procedures;
- prevention of terminated, inactive, and retired employees from accessing “confidential information;"
- oversight of subcontractors that have or will have access to “confidential information” compiled or maintained by the contractor;
- reasonable restrictions on physical access to “confidential information” in paper format and storage of such data in locked facilities, storage areas, or containers;
- review of the security program at least annually or whenever there is a material change in business practices; and
- mandatory post-incident review following any actual or suspected data breach.
2. Are there special requirements applicable to maintaining “confidential information?"
Yes, Connecticut law prohibits state contractors from storing “confidential information” on a stand-alone computer or notebook, hard disks, or portable storage devices such as external or removable hard drives, flash cards, flash drives, compact disks, or digital video disks. Note that a state agency may agree to modify the above maintenance requirements in a written agreement with a contractor.
3. Does the law restrict copying or reproducing “confidential information?"
Yes, Connecticut law prohibits a state contractor from copying, reproducing, or transmitting “confidential information” except as necessary to perform the contract. Note also that Connecticut law also applies to all copies of “confidential information," including modifications or additions to the information. Similar to the storage requirements, a state agency may agree to modify the copy and reproduction prohibition in a written agreement with a contractor.
4. What does the state of Connecticut expect to be included in breach investigation procedures?
The Privacy Law gives state contractors some flexibility in preparing written breach investigation procedures. The requirement for breach investigation procedures is scalable, meaning the requirements depend upon a reasonable review of the particular facts and circumstances of the contractor’s receipt and use of “confidential information." A contractor should review the nature of its arrangement with the state and ensure that its breach notification procedures are (i) appropriate given the nature of the information disclosed, and (ii) reasonably designed to protect “confidential information” from unauthorized access, use, modification, disclosure, manipulation and destruction.
In addition, breach notification procedures should ensure compliance with the breach notification requirements discussed in the next section of this article.
5. May a state agency waive or modify the “data security program” requirements?
Yes, the Privacy Law includes a waiver provision which allows the Office of Policy and Management (“OPM”) to require additional protections or alternate security assurance measures for “confidential information” if the facts and circumstances warrant them after considering, among other factors, the type and amount of “confidential information” being shared, the purpose for which the “confidential information” is being shared and the types of goods or services covered by the contract. Notably, the Privacy Law does not direct OPM to consider the size or resources of the state contractor.
Today, nearly all states have some form of a personal or confidential information breach notification statute with which contractors may be familiar. Typically, these laws require notification to individuals or government agencies in the event of the inappropriate use or disclosure of sensitive personal information, such as Social Security numbers. Connecticut’s obligations regarding breach reporting for state contractors go well beyond these laws by expanding the definition of breach, imposing more strict notification requirements and allowing for potentially significant penalties.
1. What is a “confidential information breach?"
The Privacy Law defines “confidential information breach” as any instance in which an unauthorized person or entity accesses “confidential information” in the control, custody or possession of the state contractor. A breach includes the following:
- the unauthorized access or possession of “confidential information” that is not encrypted or secured by any other method or technology that makes the personal information unreadable or unusable;
- the unauthorized access or possession of “confidential information” that is encrypted, along with the confidential process or key capable of breaking or compromising the encryption; and
- any incident that poses a substantial risk of identity theft or fraud relating to a client of the state agency or contractor.
2. What steps must a state contractor take in the event it discovers a breach?
In the case of a breach of “confidential information," a state contractor must:
- notify the state agency and the Office of the Attorney General, as soon as practical after discovering the breach or having reason to believe that the breach occurred;
- if directed to do so by the state agency, immediately stop using the “confidential information;" and
- in accordance with any pertinent requirements in the contract with the state agency, submit to the state agency and Office of the Attorney General a report either (a) detailing the breach or providing a plan to mitigate its effects with the steps taken to prevent future breaches or (b) explaining why, upon further investigation, the contractor believes no breach occurred.
3. Must a state contractor report suspected breaches or may it wait until it confirms that a breach in fact occurred?
A state contractor must report any actual or suspected breach of “confidential information” and thus may not delay reporting until verification of a breach. Note that such reports are not subject to disclosure under the Freedom of Information Act (“FOIA”).
4. Do grounds exist for delaying notification to the state agency and the Office of the Attorney General?
Connecticut law allows the notice to the contracting agency and Office of the Attorney General to be delayed if a law enforcement or intelligence agency informs the contractor that the notification would impede a criminal investigation or jeopardize homeland or national security. If the notice is delayed, the contractor must provide it to the contracting agency as soon as reasonably feasible. Notably, the law does not appear to require providing the delayed notice to the Office of the Attorney General. However, in practice, contractors may decide to provide the notice to the Office of the Attorney General in the spirit of cooperation.
5. What penalties may result from a breach of “confidential information?"
The Connecticut Office of the Attorney General may investigate and bring a civil action against state contractors that violate the breach notification requirements. The Privacy Law does not create a private right of action (meaning that individuals may not file a claim to enforce the law or obtain compensatory damages under it). However, in light of recent Connecticut court decisions, it is possible that failure to adhere to the breach notification requirements will make a state contractor subject to negligence suits from aggrieved parties.
Special penalties may apply if a breach involves “confidential information” containing educational records with personally identifiable information, as defined under FERPA. In the event of such a breach, the state contractor may be subject to a 5-year ban on receiving access to such information
6. Do the breach notification requirements trump other breach notification obligations to which a company may be subject, such as state personal information laws or HIPAA?
The Privacy Law’s requirements for data security are in addition to others that may exist under applicable state or federal law. For example, the requirements imposed on contractors do not supersede or negate other breach notification requirements to which the state contractor may be subject, such as state personal information breach laws or HIPAA.
Connecticut imposes significant requirements relating to the privacy and security of “confidential information” when in the hands of state contractors. The state’s expectations are high and compliance may be particularly burdensome for contractors in industries without a history of data privacy regulation or for small entities with limited financial or other resources.
The following outlines a suggested approach contractors may consider when evaluating compliance with the Privacy Law under existing or potential contracts with state agencies:
1. Carefully Review Current or Potential State Contracts.
Any individual or entity with a written contract with the state of Connecticut, or any of the state’s agencies, offices or departments, should carefully review the contract to determine whether the Privacy Law applies to the arrangement. Specifically, contractors should pay particular attention to whether the contract involves (or at least contemplates) the creation or receipt of “confidential information” and whether the contracting agency is included on the list of applicable state agencies listed above.
Contractors submitting a bid for, or which are in the process of executing, a state contract should be cognizant of the privacy and security requirements that will apply through the contract. Such contractors should also note whether the contract presented by the state agency modifies or expands any of the Privacy Law’s requirements and determine what, if any, changes to the contractor’s existing privacy and security program would be necessary to ensure compliance with the contractual terms. Potential state contractors should address privacy and security as early as possible to ensure that a compliant data security program is established and implemented by the contract’s effective date.
2. Evaluate Existing Privacy and Security Program.
Contractors with existing state contracts, or which are contemplating submitting a bid for a state contract, should conduct a self-audit to evaluate the contractor’s compliance with the Privacy Law’s data privacy and security requirements. The evaluation should consider at least the following:
- what “confidential information” the contractor maintains and where such information is located;
- the safeguards used to protect the confidentiality of the information, including with respect to storage, use, disclosure and transmission;
- access controls on the information and/or the systems maintaining such information;
- breach notification policies and procedures;
- password strength and use policies;
- employee and staff privacy and security training and awareness; and
- periodic (and at least annual) review of the contractor’s privacy and security program.
Attention should be paid to both the Privacy Law and any additional requirements set forth in the written contract with the state agency. Contractors should also inquire whether any state agency policies expand or modify the Privacy Law’s requirements and request copies of any such policies.
Contractors should strongly consider having all of the Privacy Law’s requirements addressed in written policies that are approved by the contractor and made available to employees and staff. If necessary, contractors should consider reaching out to external resources for advice regarding the sufficiency of a contractor’s privacy and security program.
3. Keep an Eye on the Definition of “Confidential Information” in State Agency Contracts.
At times, contractors may have little leverage in negotiating contracts with state agencies. When they do, negotiations often focus on certain key issues, such as the services or goods to be provided, indemnification, payment and termination. In light of the significant requirements that follow from the definition of “confidential information,” contractors and their counsel should focus on how contracts with state agencies define confidential information and how such definition affects the contractor’s obligations and compliance with state law.
For further information or to discuss how these issues may impact you or your clients, please contact William J. Roberts or any member of Shipman & Goodwin’s Privacy and Data Protection Group.
 FERPA defines “personally identifiable information” as including but not being limited to: (i) the student's name; (ii) the name of the student's parent or other family members; (iii) the address of the student or student's family; (iv) a personal identifier, such as the student's social security number, student number, or biometric record; (v) other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name; (vi) other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or (vii) information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates. See 34 C.F.R. § 99.3.
 HIPAA defines “protected health information” as individually identifiable health information that is: (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information:
(a) in education records covered by FERPA; (b) in employment records; (c) regarding a person who has been deceased for more than 50 years; and (d) in certain educational treatment records described at 20 U.S.C. 1232g(a)(4)(B)(iv). See 45 C.F.R. 160.103.
 Please refer to footnote 2.