Bill Text: CT SB01028 | 2017 | General Assembly | Introduced
Bill Title: An Act Implementing The Recommendations Of The Auditors Of Public Accounts.
Spectrum: Committee Bill
Status: (Introduced - Dead) 2017-03-16 - Public Hearing 03/20 [SB01028 Detail]
Download: Connecticut-2017-SB01028-Introduced.html
General Assembly |
Raised Bill No. 1028 | ||
January Session, 2017 |
LCO No. 5276 | ||
*05276_______GAE* | |||
Referred to Committee on GOVERNMENT ADMINISTRATION AND ELECTIONS |
|||
Introduced by: |
|||
(GAE) |
|||
AN ACT IMPLEMENTING THE RECOMMENDATIONS OF THE AUDITORS OF PUBLIC ACCOUNTS.
Be it enacted by the Senate and House of Representatives in General Assembly convened:
Section 1. Subsection (e) of section 2-90 of the general statutes is repealed and the following is substituted in lieu thereof (Effective from passage):
(e) (1) If the Auditors of Public Accounts discover, or if it should come to their knowledge, that any unauthorized, illegal, irregular or unsafe handling or expenditure of state funds or quasi-public agency funds or any breakdown in the safekeeping of any resources of the state or a quasi-public agency has occurred or is contemplated, they shall forthwith [present] report the facts to the Governor, the State Comptroller, the clerk of each house of the General Assembly [, the Legislative Program Review and Investigations Committee] and the Attorney General, [.] except if a matter reported to the Auditors of Public Accounts pursuant to section 4-33a, as amended by this act, is still under investigation by a state or quasi-public agency, the Auditors of Public Accounts may allow the agency reasonable time to conduct such investigation prior to the auditors reporting the matter to said persons. (2) If the Auditors of Public Accounts decide to delay reporting such matter, the auditors shall immediately notify the Attorney General of such decision. (3) Any Auditor of Public Accounts neglecting to make such a report required under subdivision (1) of this subsection, or any agent of the auditors neglecting to report to the Auditors of Public Accounts any such matter discovered by him or coming to his knowledge shall be fined not more than one hundred dollars or imprisoned not more than six months or both.
Sec. 2. Section 4-33a of the general statutes is repealed and the following is substituted in lieu thereof (Effective from passage):
All boards of trustees of state institutions, state department heads, boards, commissions, other state agencies responsible for state property and funds and quasi-public agencies, as defined in section 1-120, shall promptly notify the Auditors of Public Accounts and the Comptroller of any unauthorized, illegal, irregular or unsafe handling or expenditure of state or quasi-public agency funds or breakdowns in the safekeeping of any other resources of the state or quasi-public agencies or contemplated action to do the same within their knowledge. In the case of such notification to the Auditors of Public Accounts, the auditors may permit aggregate reporting in a manner and at a schedule determined by the auditors.
Sec. 3. Section 1-101pp of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2017):
Any commissioner, deputy commissioner, state agency or quasi-public agency head or deputy, or person in charge of state agency procurement, [and] contracting or human resources who has reasonable cause to believe that a person has violated the provisions of the Code of Ethics for Public Officials set forth in part I of this chapter or any law or regulation concerning ethics in state contracting shall report such belief to the Office of State Ethics, which may further report such information to the [Auditor] Auditors of Public Accounts, the Chief State's Attorney or the Attorney General.
Sec. 4. Subdivision (8) of section 4-37f of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2017):
(8) A foundation which has in any of its fiscal years receipts and earnings from investments totaling one hundred thousand dollars per year or more, or a foundation established for the principal purpose of coordinated emergency recovery that operated in response to an eligible incident, as defined in section 4-37r, during the fiscal year or with funds that exceeded one hundred thousand dollars in the aggregate, shall have completed on its behalf for such fiscal year a full audit of the books and accounts of the foundation. A foundation which has receipts and earnings from investments totaling less than one hundred thousand dollars in each fiscal year during any three of its consecutive fiscal years beginning October 1, 1986, shall have completed on its behalf for the third fiscal year in any such three-year period a full audit of the books and accounts of the foundation, unless such foundation was established for the principal purpose of coordinated emergency recovery and had completed on its behalf such an audit for any year in any such three-year period. For each fiscal year in which an audit is not required pursuant to this subdivision financial statements shall be provided by the foundation to the executive authority of the state agency. Each audit under this subdivision shall be (A) conducted [(A)] by an independent certified public accountant or, if requested by the state agency with the consent of the foundation, the Auditors of Public Accounts, [and] (B) conducted in accordance with generally accepted auditing standards, and (C) completed, and a copy of such audit submitted, in accordance with this section not later than six months after the end of the applicable fiscal year. The auditor shall submit (i) a report that includes an opinion regarding the financial statements and a management letter, and (ii) a report that includes an opinion on conformance of the operating procedures of the foundation with the provisions of sections 4-37e to 4-37i, inclusive, and recommendations for any corrective actions needed to ensure such conformance. Each audit report shall disclose the receipt or use by the foundation of any public funds in violation of said sections or any other provision of the general statutes. The foundation shall provide a copy of each audit report completed pursuant to this subdivision to the executive authority of the state agency and the Attorney General. Each financial statement required under this subdivision shall include, for the fiscal year to which the statement applies, the total receipts and earnings from investments of the foundation and the amount and purpose of each receipt of funds by the state agency from the foundation. As used in this subdivision, "fiscal year" means any twelve-month period adopted by a foundation as its accounting year;
Sec. 5. Subsection (b) of section 4-37g of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2017):
(b) In the case of an audit required pursuant to section 4-37f, as amended by this act, that was not conducted by the Auditors of Public Accounts, the executive authority and chief financial official of the state agency shall review the audit report received pursuant to said section and, upon such review, the executive authority shall sign a letter indicating that he has reviewed the audit report and transmit a copy of the letter and report to the Auditors of Public Accounts. If such audit report indicates that (1) funds for deposit and retention in state accounts have been deposited and retained in foundation accounts, or (2) state funds, personnel, services or facilities may have been used in violation of sections 4-37e to 4-37i, inclusive, or any other provision of the general statutes, the Auditors of Public Accounts may conduct a full audit of the books and accounts of the foundation pertaining to such funds, personnel, services or facilities, in accordance with the provisions of section 2-90, as amended by this act. For the purposes of such audit, the Auditors of Public Accounts shall have access to the working papers compiled by the certified public accountant in the preparation of the audit conducted pursuant to section 4-37f, as amended by this act, which are relevant to such use of state funds, personnel, services or facilities in violation of the provisions of sections 4-37e to 4-37i, inclusive, or any other provision of the general statutes. If the audit required pursuant to section 4-37f, as amended by this act, was not conducted, the Auditors of Public Accounts may conduct a full audit of the books and accounts of the foundation, in accordance with the provisions of section 2-90, as amended by this act.
Sec. 6. Subdivision (3) of subsection (c) of section 10a-109n of the general statutes is repealed and the following is substituted in lieu thereof (Effective from passage):
(3) The university shall thereafter give notice to those so prequalified by the university pursuant to subdivision (2) of this section of the time and place where the public letting shall occur and shall include in such notice such information of the work required as appropriate. Each bid or proposal shall be kept sealed until opened publicly at the time and place as set forth in the notice soliciting such bid or proposal. The university shall not award any construction contract, including, but not limited to, any total cost basis contract, after public letting, except to the responsible qualified contractor, submitting the lowest bid or proposal in compliance with the bid or proposal requirements of the solicitation document, [. The] except the university may [, however,] (A) waive any informality in a bid or proposal, and [may] (B) either reject all bids or proposals and again advertise for bids or proposals or interview at least three responsible qualified contractors and negotiate and enter into with any one of such contractors that construction contract which is both fair and reasonable to the university.
Sec. 7. Section 2-90b of the general statutes is repealed and the following is substituted in lieu thereof (Effective from passage):
The Auditors of Public Accounts shall [annually] biennially conduct an audit of reimbursements made from the Bradley Enterprise Fund to the Department of Emergency Services and Public Protection to cover the cost of Troop W operations carried out in accordance with the memorandum of understanding between the Department of Emergency Services and Public Protection and the Department of Transportation.
Sec. 8. Section 4-61dd of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2017):
(a) Any person having knowledge of any matter involving corruption, unethical practices, violation of state laws or regulations, mismanagement, gross waste of funds, abuse of authority or danger to the public safety occurring in any state department or agency, [or] any quasi-public agency, as defined in section 1-120, or any Probate Court or any person having knowledge of any matter involving corruption, violation of state or federal laws or regulations, gross waste of funds, abuse of authority or danger to the public safety occurring in any large state contract, may transmit all facts and information in such person's possession concerning such matter to the Auditors of Public Accounts. The Auditors of Public Accounts shall review such matter and report their findings and any recommendations to the Attorney General. Upon receiving such a report, the Attorney General shall make such investigation as the Attorney General deems proper regarding such report and any other information that may be reasonably derived from such report. Prior to conducting an investigation of any information that may be reasonably derived from such report, the Attorney General shall consult with the Auditors of Public Accounts concerning the relationship of such additional information to the report that has been issued pursuant to this subsection. Any such subsequent investigation deemed appropriate by the Attorney General shall only be conducted with the concurrence and assistance of the Auditors of Public Accounts. At the request of the Attorney General or on their own initiative, the auditors shall assist in the investigation.
(b) (1) The Auditors of Public Accounts may reject any complaint received pursuant to subsection (a) of this section if the Auditors of Public Accounts determine one or more of the following:
(A) There are other available remedies that the complainant can reasonably be expected to pursue;
(B) The complaint is better suited for investigation or enforcement by another state agency;
(C) The complaint is trivial, frivolous, vexatious or not made in good faith;
(D) Other complaints have greater priority in terms of serving the public good;
(E) The complaint is not timely or is too long delayed to justify further investigation; or
(F) The complaint could be handled more appropriately as part of an ongoing or scheduled regular audit.
(2) If the Auditors of Public Accounts reject a complaint pursuant to subdivision (1) of this subsection, the Auditors of Public Accounts shall provide a report to the Attorney General setting out the basis for the rejection.
(3) If at any time the Auditors of Public Accounts determine that a complaint is more appropriately investigated by another state agency, the Auditors of Public Accounts shall refer the complaint to such agency. The investigating agency shall provide a status report regarding the referred complaint to the Auditors of Public Accounts upon request.
(c) Notwithstanding the provisions of section 12-15, the Commissioner of Revenue Services may, upon written request by the Auditors of Public Accounts, disclose return or return information, as defined in section 12-15, to the Auditors of Public Accounts for purposes of preparing a report under subsection (a) or (b) of this section. Such return or return information shall not be published in any report prepared in accordance with subsection (a) or (b) of this section, and shall not otherwise be redisclosed, except that such information may be redisclosed to the Attorney General for purposes of an investigation authorized by subsection (a) of this section. Any person who violates the provisions of this subsection shall be subject to the provisions of subsection (g) of section 12-15.
(d) The Attorney General may summon witnesses, require the production of any necessary books, papers or other documents and administer oaths to witnesses, where necessary, for the purpose of an investigation pursuant to this section or for the purpose of investigating a suspected violation of subsection (a) of section 4-275 until such time as the Attorney General files a civil action pursuant to section 4-276. Upon the conclusion of the investigation, the Attorney General shall where necessary, report any findings to the Governor, or in matters involving criminal activity, to the Chief State's Attorney. In addition to the exempt records provision of section 1-210, the Auditors of Public Accounts and the Attorney General shall not, after receipt of any information from a person under the provisions of this section or sections 4-276 to 4-280, inclusive, disclose the identity of such person without such person's consent unless the Auditors of Public Accounts or the Attorney General determines that such disclosure is unavoidable, and may withhold records of such investigation, during the pendency of the investigation.
(e) (1) No state officer or employee, as defined in section 4-141, no quasi-public agency officer or employee, no officer or employee of a large state contractor and no appointing authority shall take or threaten to take any personnel action against any state or quasi-public agency employee or any employee of a large state contractor in retaliation for (A) such employee's or contractor's disclosure of information to (i) an employee of the Auditors of Public Accounts or the Attorney General under the provisions of subsection (a) of this section; (ii) an employee of the state agency or quasi-public agency where such state officer or employee is employed; (iii) an employee of a state agency pursuant to a mandated reporter statute or pursuant to subsection (b) of section 17a-28; (iv) an employee of the Probate Court where such employee is employed; or [(iv)] (v) in the case of a large state contractor, an employee of the contracting state agency concerning information involving the large state contract; or (B) such employee's testimony or assistance in any proceeding under this section.
(2) (A) Not later than ninety days after learning of the specific incident giving rise to a claim that a personnel action has been threatened or has occurred in violation of subdivision (1) of this subsection, a state or quasi-public agency employee, an employee of a large state contractor or the employee's attorney may file a complaint against the state agency, quasi-public agency, Probate Court, large state contractor or appointing authority concerning such personnel action with the Chief Human Rights Referee designated under section 46a-57. Such complaint may be amended if an additional incident giving rise to a claim under this subdivision occurs subsequent to the filing of the original complaint. The Chief Human Rights Referee shall assign the complaint to a human rights referee appointed under section 46a-57, who shall conduct a hearing and issue a decision concerning whether the officer or employee taking or threatening to take the personnel action violated any provision of this section. The human rights referee may order a state agency, [or] quasi-public agency or Probate Court to produce (i) an employee of such agency, [or] quasi-public agency or Probate Court to testify as a witness in any proceeding under this subdivision, or (ii) books, papers or other documents relevant to the complaint, without issuing a subpoena. If such agency, [or] quasi-public agency or Probate Court fails to produce such witness, books, papers or documents, not later than thirty days after such order, the human rights referee may consider such failure as supporting evidence for the complainant. If, after the hearing, the human rights referee finds a violation, the referee may award the aggrieved employee reinstatement to the employee's former position, back pay and reestablishment of any employee benefits for which the employee would otherwise have been eligible if such violation had not occurred, reasonable attorneys' fees, and any other damages. For the purposes of this subsection, such human rights referee shall act as an independent hearing officer. The decision of a human rights referee under this subsection may be appealed by any person who was a party at such hearing, in accordance with the provisions of section 4-183.
(B) The Chief Human Rights Referee shall adopt regulations, in accordance with the provisions of chapter 54, establishing the procedure for filing complaints and noticing and conducting hearings under subparagraph (A) of this subdivision.
(3) As an alternative to the provisions of subdivision (2) of this subsection: (A) A state or quasi-public agency employee who alleges that a personnel action has been threatened or taken may file an appeal not later than ninety days after learning of the specific incident giving rise to such claim with the Employees' Review Board under section 5-202, or, in the case of a state or quasi-public agency employee covered by a collective bargaining contract, in accordance with the procedure provided by such contract; or (B) an employee of a large state contractor alleging that such action has been threatened or taken may, after exhausting all available administrative remedies, bring a civil action in accordance with the provisions of subsection (c) of section 31-51m.
(4) In any proceeding under subdivision (2) or (3) of this subsection concerning a personnel action taken or threatened against any state or quasi-public agency employee or any employee of a large state contractor, which personnel action occurs not later than two years after the employee first transmits facts and information concerning a matter under subsection (a) of this section or discloses information under subdivision (1) of this subsection to the Auditors of Public Accounts, the Attorney General or an employee of a state agency, [or] quasi-public agency or Probate Court, as applicable, there shall be a rebuttable presumption that the personnel action is in retaliation for the action taken by the employee under subsection (a) of this section or subdivision (1) of this subsection.
(5) If a state officer or employee, as defined in section 4-141, a quasi-public agency officer or employee, an officer or employee of a large state contractor or an appointing authority takes or threatens to take any action to impede, fail to renew or cancel a contract between a state agency and a large state contractor, or between a large state contractor and its subcontractor, in retaliation for the disclosure of information pursuant to subsection (a) of this section or subdivision (1) of this subsection to any agency listed in subdivision (1) of this subsection, such affected agency, contractor or subcontractor may, not later than ninety days after learning of such action, threat or failure to renew, bring a civil action in the superior court for the judicial district of Hartford to recover damages, attorney's fees and costs.
(f) Any employee of a state agency, [or] quasi-public agency, Probate Court or large state contractor, who is found by the Auditors of Public Accounts, the Attorney General, a human rights referee or the Employees' Review Board to have knowingly and maliciously made false charges under subsection (a) of this section, shall be subject to disciplinary action by such employee's appointing authority up to and including dismissal. In the case of a state or quasi-public agency employee, such action shall be subject to appeal to the Employees' Review Board in accordance with section 5-202, or in the case of state or quasi-public agency employees included in collective bargaining contracts, the procedure provided by such contracts.
(g) On or before September first, annually, the Auditors of Public Accounts shall submit, in accordance with the provisions of section 11-4a, to the clerk of each house of the General Assembly a report indicating the number of matters for which facts and information were transmitted to the auditors pursuant to this section during the preceding state fiscal year and the disposition of each such matter.
(h) Each contract between a state or quasi-public agency and a large state contractor shall provide that, if an officer, employee or appointing authority of a large state contractor takes or threatens to take any personnel action against any employee of the contractor in retaliation for such employee's disclosure of information to any employee of the contracting state or quasi-public agency or the Auditors of Public Accounts or the Attorney General under the provisions of subsection (a) or subdivision (1) of subsection (e) of this section, the contractor shall be liable for a civil penalty of not more than five thousand dollars for each offense, up to a maximum of twenty per cent of the value of the contract. Each violation shall be a separate and distinct offense and in the case of a continuing violation each calendar day's continuance of the violation shall be deemed to be a separate and distinct offense. The executive head of the state or quasi-public agency may request the Attorney General to bring a civil action in the superior court for the judicial district of Hartford to seek imposition and recovery of such civil penalty.
(i) Each state agency or quasi-public agency shall post a notice of the provisions of this section relating to state employees and quasi-public agency employees in a conspicuous place that is readily available for viewing by employees of such agency or quasi-public agency. Each Probate Court shall post a notice of the provisions of this section relating to Probate Court employees in a conspicuous place that is readily available for viewing by employees of such court. Each large state contractor shall post a notice of the provisions of this section relating to large state contractors in a conspicuous place which is readily available for viewing by the employees of the contractor.
(j) No person who, in good faith, discloses information in accordance with the provisions of this section shall be liable for any civil damages resulting from such good faith disclosure.
(k) As used in this section:
(1) "Large state contract" means a contract between an entity and a state or quasi-public agency, having a value of five million dollars or more; and
(2) "Large state contractor" means an entity that has entered into a large state contract with a state or quasi-public agency.
(l) (1) No officer or employee of a state shellfish grounds lessee shall take or threaten to take any personnel action against any employee of a state shellfish grounds lessee in retaliation for (A) such employee's disclosure of information to an employee of the leasing agency concerning information involving the state shellfish grounds lease, or (B) such employee's testimony or assistance in any proceeding under this section.
(2) (A) Not later than ninety days after learning of the specific incident giving rise to a claim that a personnel action has been threatened or has occurred in violation of subdivision (1) of this subsection, an employee of a state shellfish grounds lessee or the employee's attorney may file a complaint against the state shellfish grounds lessee concerning such personnel action with the Chief Human Rights Referee designated under section 46a-57. Such complaint may be amended if an additional incident giving rise to a claim under this subdivision occurs subsequent to the filing of the original complaint. The Chief Human Rights Referee shall assign the complaint to a human rights referee appointed under section 46a-57, who shall conduct a hearing and issue a decision concerning whether the officer or employee taking or threatening to take the personnel action violated any provision of this subsection. The human rights referee may order a state shellfish grounds lessee to produce (i) an employee of such lessee to testify as a witness in any proceeding under this subdivision, or (ii) books, papers or other documents relevant to the complaint, without issuing a subpoena. If such state shellfish grounds lessee fails to produce such witness, books, papers or documents, not later than thirty days after such order, the human rights referee may consider such failure as supporting evidence for the complainant. If, after the hearing, the human rights referee finds a violation, the referee may award the aggrieved employee reinstatement to the employee's former position, back pay and reestablishment of any employee benefits for which the employee would otherwise have been eligible if such violation had not occurred, reasonable attorneys' fees and any other damages. For the purposes of this subsection, such human rights referee shall act as an independent hearing officer. The decision of a human rights referee under this subsection may be appealed by any person who was a party at such hearing, in accordance with the provisions of section 4-183.
(B) The Chief Human Rights Referee shall adopt regulations, in accordance with the provisions of chapter 54, establishing the procedure for filing complaints and noticing and conducting hearings under subparagraph (A) of this subdivision.
(3) As an alternative to the provisions of subdivision (2) of this subsection, an employee of a state shellfish grounds lessee who alleges that a personnel action has been threatened or taken may, after exhausting all available administrative remedies, bring a civil action in accordance with the provisions of subsection (c) of section 31-51m.
(4) In any proceeding under subdivision (2) or (3) of this subsection concerning a personnel action taken or threatened against any employee of a state shellfish grounds lessee, which personnel action occurs not later than two years after the employee first transmits facts and information to an employee of the leasing agency concerning the state shellfish grounds lease, there shall be a rebuttable presumption that the personnel action is in retaliation for the action taken by the employee under subdivision (1) of this subsection.
Sec. 9. Subsection (a) of section 1-123 of the general statutes is repealed and the following is substituted in lieu thereof (Effective from passage):
(a) The board of directors of each quasi-public agency shall annually submit a report to the Governor and the Auditors of Public Accounts and two copies of such report to the Legislative Program Review and Investigations Committee. Such report shall include, but not be limited to, the following: (1) A list of all bond issues for the preceding fiscal year, including, for each such issue, the financial advisor and underwriters, whether the issue was competitive, negotiated or privately placed, and the issue's face value and net proceeds; (2) a list of all projects other than those pertaining to owner-occupied housing or student loans receiving financial assistance during the preceding fiscal year, including each project's purpose, location, and the amount of funds provided by the agency; (3) a list of all outside individuals and firms receiving in excess of five thousand dollars in the form of loans, grants or payments for services, except for individuals receiving loans for owner-occupied housing and education; (4) a balance sheet and operating statement showing all revenues and expenditures; (5) the cumulative value of all bonds issued, the value of outstanding bonds, and the amount of the state's contingent liability; (6) the affirmative action policy statement, a description of the composition of the agency's work force by race, sex, and occupation and a description of the agency's affirmative action efforts; and (7) a description of planned activities for the current fiscal year. Not later than thirty days after receiving copies of such report from the board of a quasi-public agency, the Legislative Program Review and Investigations Committee shall prepare an assessment of whether the report complies with the requirements of this section and shall submit the assessment and a copy of the report to the joint standing committee of the General Assembly having cognizance of matters relating to the quasi-public agency.
Sec. 10. (NEW) (Effective October 1, 2017) On and after October 1, 2017, no state agency shall make a payment to an employee resigning or retiring from employment with such state agency for the purposes of avoiding costs associated with potential litigation or pursuant to a nondisparagement agreement without obtaining the approval of the Attorney General.
Sec. 11. Section 36a-701b of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2017):
(a) For purposes of this section, (1) "breach of security" means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable; and (2) "personal information" means an individual's first name or first initial and last name in combination with any one, or more, of the following data: (A) Social Security number; (B) driver's license number or state identification card number; or (C) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
(b) (1) Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall provide notice of any breach of security following the discovery of the breach to any resident of this state whose personal information was breached or is reasonably believed to have been breached. Such notice shall be made without unreasonable delay but not later than ninety days after the discovery of such breach, unless a shorter time is required under federal law, subject to the provisions of subsection (d) of this section and the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system. Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed.
(2) If notice of a breach of security is required by subdivision (1) of this subsection:
(A) The person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General and the Auditors of Public Accounts; and
(B) The person who conducts business in this state, and who, in the ordinary course of such person's business, owns or licenses computerized data that includes personal information, shall offer to each resident whose personal information under subparagraph (A) of subdivision (4) of subsection (a) of section 38a-999b or subparagraph (A) of subdivision (2) of subsection (a) of this section was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than twelve months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident's credit file.
(c) Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information of a resident of this state was breached or is reasonably believed to have been breached.
(d) Any notification required by this section shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination.
(e) Any notice to a resident, owner or licensee required by the provisions of this section may be provided by one of the following methods: (1) Written notice; (2) telephone notice; (3) electronic notice, provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USC 7001; (4) substitute notice, provided such person demonstrates that the cost of providing notice in accordance with subdivision (1), (2) or (3) of this subsection would exceed two hundred fifty thousand dollars, that the affected class of subject persons to be notified exceeds five hundred thousand persons or that the person does not have sufficient contact information. Substitute notice shall consist of the following: (A) Electronic mail notice when the person has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the web site of the person if the person maintains one; and (C) notification to major state-wide media, including newspapers, radio and television.
(f) Any person that maintains such person's own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies, as applicable, residents of this state, owners and licensees in accordance with such person's policies in the event of a breach of security and in the case of notice to a resident, such person also notifies the Attorney General and the Auditors of Public Accounts not later than the time when notice is provided to the resident. Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in compliance with the security breach notification requirements of this section, provided (1) such person notifies, as applicable, such residents of this state, owners, and licensees required to be notified under and in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security, and (2) if notice is given to a resident of this state in accordance with subdivision (1) of this subsection regarding a breach of security, such person also notifies the Attorney General and the Auditors of Public Accounts not later than the time when notice is provided to the resident.
(g) Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General.
Sec. 12. Sections 6-33, 6-33a, 6-36, 6-38j and 6-38l of the general statutes are repealed. (Effective from passage)
This act shall take effect as follows and shall amend the following sections: | ||
Section 1 |
from passage |
2-90(e) |
Sec. 2 |
from passage |
4-33a |
Sec. 3 |
October 1, 2017 |
1-101pp |
Sec. 4 |
October 1, 2017 |
4-37f(8) |
Sec. 5 |
October 1, 2017 |
4-37g(b) |
Sec. 6 |
from passage |
10a-109n(c)(3) |
Sec. 7 |
from passage |
2-90b |
Sec. 8 |
October 1, 2017 |
4-61dd |
Sec. 9 |
from passage |
1-123(a) |
Sec. 10 |
October 1, 2017 |
New section |
Sec. 11 |
October 1, 2017 |
36a-701b |
Sec. 12 |
from passage |
Repealer section |
Statement of Purpose:
To implement the recommendations of the Auditors of Public Accounts contained in their annual report to the General Assembly.
[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline, except that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is not underlined.]