SB 117, An Act Concerning Breaches Of Security Involving Electronic Personal Information

TESTIMONY OF THE CONNECTICUT HOSPITAL ASSOCIATION
SUBMITTED TO THE GENERAL LAW COMMITTEE

Wednesday, February 18, 2026

The Connecticut Hospital Association (CHA) appreciates this opportunity to submit testimony concerning SB 117, An Act Concerning Breaches Of Security Involving Electronic Personal Information. CHA recognizes the importance of maintaining strong security practices but has concerns about the implications of the bill, as written.

Connecticut hospitals make our state stronger by delivering nationally recognized, world-class care, supporting jobs and economic growth, and serving communities across Connecticut. Every day, hospitals improve access, affordability, and health equity — providing care to all patients regardless of ability to pay. At the same time, hospitals invest in their workforce and local communities, even as they navigate significant financial and federal challenges.

SB 117 creates a new category of reportable cybersecurity events with significant reporting obligations for businesses that maintain individuals’ personal data in their electronic data systems.

Over the last several years, the state has taken steps to ensure that electronic personal data held by businesses in Connecticut are protected using industry-standard mechanisms. The Office of the Attorney General plays a key role in that oversight framework, acting as the primary agency to review and investigate breaches and cybersecurity events. Under current law, Section 36a-701b, the attorney general’s office also receives mandatory reports from businesses when breaches of personal data occur.

For businesses with a reporting duty that are subject to HIPAA, the reporting obligation is generally duplicative of their HIPAA reporting. As such, those businesses are only required to copy the Office of the Attorney General; they do not have parallel reporting obligations. This makes sense and is an efficient way to share the breach reporting information, whereas other types of businesses that do not follow HIPAA (or other federal security laws) are less regulated by federal law with respect to cybersecurity, necessitating separate mandatory state reporting.

SB 117 would amend Section 36a-701b to create more oversight by the Office of the Attorney General, specific to breaches of electronic data that involve more than 100,000 persons. The category is described as a “massive breach of security.” Entities that have a HIPAA breach reporting obligation would not be allowed to submit their HIPAA breach report (as they can now) and would be required to report under the new mandatory requirement. Under the new “massive breach of security” reporting rule, impacted businesses would need to engage a third-party cybersecurity expert immediately and have that expert prepare a “forensic” report to be submitted to the Office of the Attorney General within 90 days.

CHA has the following concerns with the bill:

There is an implication in the bill, in part through the use of the term “massive breach of security,” that a business that makes the report is automatically guilty of an offense. That is not the case and should not be the law. We live in a world full of bad actors who find new ways to breach sources of data. No cybersecurity system is immune to possible intrusion, even if state-of-the-art precautions are taken. To ensure there is no implication of wrongdoing, we ask that the following language be added to the bill:

Nothing in 36a-701b as amended shall be construed to mean an entity that makes any mandatory report has committed wrongdoing.

The bill should also plainly state that an entity that makes a report of a “massive breach of security” is allowed to work with the third party, and take any other measures, to review and investigate the event. That could be accomplished by the adding the following language:

Nothing in Section 36a-701b shall be construed to mean that an entity reporting a massive breach of security is prohibited from (1) working with the third-party retained under this section to investigate the incident and develop the forensic report due to the Office of the Attorney General or (2) taking any the steps to investigate, review and remediate after the event.

We cannot tell from the bill whether a law enforcement hold, as described in subsection (d) of 36a-701b, is applicable to the “massive breach of security.” For HIPAA entities, there are instances when federal law enforcement instructs that a report be delayed to avoid interfering with investigations. The language of the bill should plainly indicate whether a law enforcement hold is applicable (or not) when reporting a “massive breach of security”
We believe the new reporting is substantially duplicative of HIPAA obligations and will be extremely costly to businesses that must follow the new rule. If passed, it would be prudent to examine the cost-benefit of the reporting mechanism. A formal reporting to the committees of cognizance annually would allow a fair assessment of whether this measure is necessary and valuable to the state’s efforts to protect personal data

Thank you for your consideration of our position. For additional information, contact CHA Government Relations at (203) 294-7301.

About CHA

Recognize Your Hospital Team: 2026 CHA Annual Awards Open for Submissions

Advocacy

Governor's Tax on Hospitals Will Hurt Connecticut

Issues

Special Initiatives

Caring for Connecticut

Connecticut Urgent Maternal Warning Signs Bracelet Initiative

Education

Upcoming Event

News and Publications

The Latest From CHA

Resources

Search Career Opportunities by Hospital or Health System