Connecticut's Personal Information Protection Requirements

Effective October 1, 2008, Connecticut employers must establish and publish or publically display a “privacy protection policy” stating how it will protect the confidentiality of, and limit access to, social security numbers in its possession. (P.A. 08-167). In addition, companies must safeguard “personal information” defined as any information capable of being associated with a particular individual through one or more identifiers, including but not limited to social security, driver’s license, credit card account, passport, alien registration, and health insurance numbers. Also, organizations must destroy, erase, or make unreadable personal data prior to disposal. Intentional violations shall subject an organization to civil penalties of $500 for each violation, provided such civil penalty shall not exceed $500,000 for any single event.

To comply with the new Act, employers should train employees on how to secure, handle and destroy files containing personal information, install encryption software on computers containing such information, and screen all employees who have access to personal information.