The Weekly Breach Breakdown Podcast by ITRC - The Nutmeg State - S3E12

Show Transcript

The Nutmeg State

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for May 6, 2022.  Each week, we look at the most recent events and trends related to data security and privacy. This week, we will focus on new laws and regulations designed to improve privacy, security, and notice of a security or data breach.

New Connecticut Privacy Law

We’re going to start in the Nutmeg state. This week, Connecticut joined the club of states with their own comprehensive consumer privacy law in the absence of a federal law. Connecticut joins California, Virginia, Colorado and Utah with similar – but not identical – state laws.

What the Law Means for Residents

The Connecticut privacy law will take effect on July 1, 2023. It will allow residents to opt-out of data sales, targeted advertising, and data used to profile consumers in certain application processes. Websites and companies will have to get consent to process sensitive data and offer Connecticut residents ways to revoke that consent. Once a request to opt-out is received, organizations subject to the act will have 15 days to stop processing data. 

If a child is under the age of 13, parental consent is needed for any website to collect personal information. However, businesses cannot collect personal data from or target advertising to children between the ages of 13 and 16. 

Dark Patterns Prohibited Under New Law

Also prohibited under the Connecticut privacy law is the use of “dark patterns,” similar to the laws in Colorado and California. Dark Patterns are considered to be manipulative marketing techniques that often trick consumers into opting into data sharing. Federal regulators are currently looking at the practice of using dark patterns with an eye towards more enforcement.

New Principles for Data Security and Privacy Practices

The new Connecticut privacy law also lays out several principles for organizations to adopt as part of their data security and privacy practices. Chief among them is data minimization, where you don’t collect more information than you need to complete a transaction, and you don’t keep it for longer than required to complete the deal. Data protection assessments for high-risk data are also required.

New Regulation Requires Banks to Notify Regulators of Security Incident in 36 Hours

Meanwhile, banks in the country are now required to notify regulators within 36 hours if an institution suffers a qualifying "computer-security incident." Several regulators approved the regulation, including the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve, and the Office of the Comptroller of the Currency.

Like many government regulations, the goal of notifying officials of a security incident seems simple enough. However, it takes an 80-page rule to define what qualifies as a computer security incident. The agencies reviewed two years of suspicious activity reports and data to develop a list of examples that will now require notice, including:

• A large-scale attack that disrupts account access for more than four hours
• Widespread system outages that are caused by problems with vendors or failed upgrades
• A ransomware attack that encrypts a core banking system or backup data

The rule has been in effect for less than one week. However, observers are already watching to see if institutions can easily comply with the 36-hour rule – which is half the time allowed under other current regulatory schemes. In particular, experts are wondering if any meaningful information can be determined within 36 hours since most major incidents require months to determine what happened and why.

Contact the ITRC

If you want to learn more about the Connecticut privacy law, the new regulation for banks, or protecting your personal or business information, contact the ITRC. If you think you have been the victim of an identity crime or compromise, visit our new website at our old web address www.idtheftcenter.org. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Be sure to listen to the latest episode of our sister podcast, the Fraudian Slip, where we talk with the SAS Institute about the latest scams. We will be back next week with another episode of the Weekly Breach Breakdown.