Beyond Breach Notification: Connecticut Proposes Mandatory Forensic Reporting to the AG

Every U.S. state has enacted some form of data breach notification law, and each applies based on where the affected individual resides, not where the business in question is located. A company with no physical presence in a state may nonetheless find itself subject to that state's requirements simply because affected individuals reside there.

With that in mind, Connecticut has introduced Raised Bill No. 117, which proposes notable new requirements that go well beyond traditional breach notification obligations. If enacted with an effective date of October 1, 2026, the bill would amend Section 36a-701b of the Connecticut General Statutes to impose mandatory forensic examination and reporting obligations following what the bill defines as a "massive breach of security."

What the Proposed Law Would Require

A New Definition: "Massive Breach of Security"

The bill introduces a new defined term, "massive breach of security," meaning a breach where the personal information of at least 100,000 Connecticut residents has been or is reasonably believed to have been breached due to the unauthorized use of a computer or computer network. Importantly, this threshold is measured by the number of affected Connecticut residents specifically, not the total number of individuals affected. Since the definition requires that the breach occurred due to the "unauthorized use of a computer or computer network," breaches caused by physical theft, social engineering that does not involve unauthorized computer access or misuse of data by an insider with authorized system access may fall outside the scope of this obligation.¹

Mandatory Third-Party Forensic Examination and Reporting

Under the proposed new subsection (b)(1), any person who owns, licenses or maintains computerized data containing personal information must, immediately following the discovery of a massive breach of security, retain a qualified third party to perform a forensic examination and analysis of the affected computer or computer network. That third party must prepare a detailed forensic report disclosing, at a minimum, the results of the examination, how the unauthorized use occurred and the root causes of the breach to the extent revealed by the analysis. The forensic report must be submitted to the Attorney General (AG) within 90 days of discovering the massive breach in a form and manner prescribed by the AG.

The 90-day clock raises its own set of compliance challenges. The deadline runs from "discovery of the massive breach of security," but the bill does not define when discovery occurs.² Does a "discovery" happen when a company first detects anomalous activity, when it confirms unauthorized access or when it determines that the 100,000-resident threshold has been met? In many breaches, weeks or months pass between initial detection and confirmation that the breach meets a specific numerical threshold, particularly where a company must cross-reference compromised records against state residency data. This ambiguity could expose companies to penalty disputes over when the clock actually started.

Even setting aside the question of when the clock begins, 90 days may be insufficient to complete a forensic investigation of a breach of this magnitude. Investigations involving sophisticated threat actors, extensive lateral movement or compromised environments spanning multiple systems routinely take well beyond 90 days. The bill provides no mechanism to request an extension and no good-faith exception for companies that have retained a forensic firm and are cooperating but cannot complete the work within the statutory window.

The bill also creates a sequencing tension with existing law. Companies must notify affected residents within 60 days of discovering a breach, but the forensic report is not due for 90 days, meaning companies must describe the breach to affected individuals before the forensic report is complete.³ If the forensic report later reveals materially different findings, the company could face scrutiny for the adequacy of its initial notification.

Though the existing Connecticut statute allows a company to avoid notifying affected residents if it reasonably determines the breach will not likely result in harm, no such risk of harm exemption is available under the proposed forensic reporting obligation. The bill also expressly overrides safe harbors for entities that maintain their own security breach procedures or are subject to the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act. Once a breach qualifies, the forensic examination and report are mandatory without exception.

If a company fails to submit the forensic report, the AG may independently retain a third party to perform the examination and prepare the report, and the company that experienced the breach bears the cost regardless. Notably, the company would have no control over which firm the AG selects, the scope of the examination or resulting cost, and the bill imposes no cap on expenses.⁴

Significant Civil Penalties for Noncompliance

The bill establishes substantial civil penalties for failure to submit a forensic report to the AG: $100,000 if the entity qualifies as a small business as defined by the U.S. Small Business Administration or $500,000 if it does not. These penalties are in addition to any penalty imposed under Connecticut's unfair trade practices statute.

The Impact on Attorney-Client Privilege and Work Product Protection

Though companies that experience significant data breaches are routinely subject to extensive forensic investigations, such activities are typically part of an investigation conducted by, and at the direction of, outside counsel for the purpose of providing legal advice and preparing for potential litigation, so the forensic work is subject to the protections of attorney-client privilege and the work product doctrine. These efforts include forensic investigators being engaged by counsel, coordinating the review at the direction of counsel, issuing any written findings to counsel to support their legal work and limiting the number of individuals on communications to ensure confidentiality and avoid undermining privilege claims. Such activities continue in a more challenging legal environment, with some court decisions in recent years that have scrutinized these protections, finding that forensic reports may not qualify for privilege and work product protection where the forensic team was engaged by the business instead of counsel, where reports were prepared for business purposes or where companies sought technical rather than legal advice. Courts have also indicated that factual details about a security breach are not always privileged even when counsel is involved. Connecticut's proposed law may compound the privilege challenges and significantly limit the practical value of these protections for massive breaches, at least with respect to the AG, by mandating the submission of a detailed forensic report within 90 days without the need for a formal legal proceeding or investigatory demand. That said, there may be limits to legislation that seeks to circumvent attorney-client privilege and the work product doctrine.

The Limits of the FOIA Exemption

The bill does provide that forensic reports submitted to the AG are exempt from public disclosure under Connecticut's Freedom of Information Act (FOIA), but the exemption is narrower than it appears. The statute expressly permits the AG to make the forensic reports "available to third parties in furtherance of such investigation," which in practice means the report could be shared with other state attorneys general, federal regulators or other investigative bodies. A breach of this magnitude will almost certainly affect residents of other states whose attorneys general will have a keen interest in the forensic findings, and shared reports could also surface in multidistrict litigation proceedings as evidence in class action cases.

Forensic Reports as a Litigation Road Map

Under the current framework, an AG seeking forensic materials must either request them voluntarily, issue a civil investigatory demand or request discovery in an active litigation. But in such contexts, a company can object, challenge scope and withhold privileged material. The proposed Connecticut statute would potentially bypass this framework by compelling affirmative submission of a forensic report within 90 days without any opportunity to object or any mechanism to challenge the scope of disclosure.

The compelled disclosure of forensic reports also raises significant concerns in the context of private litigation. A forensic report that identifies root causes, documents how an intrusion occurred and details a company's cyber vulnerabilities can, in practical terms, be leveraged (and potentially mischaracterized) by a plaintiff seeking to establish negligence or inadequate security practices. Essentially, information that a company would ordinarily fight to protect through privilege assertions and careful discovery negotiations would instead already be in the hands of regulators, which may affect the company's ability to assert privilege in subsequent litigation. Rather than being incentivized to seek a candid and more detailed report under privilege regarding security shortcomings and vulnerabilities, the increased legal and security exposures presented by regulatory obligations and litigation disclosures may induce companies to scale back forensic reports and address solely how unauthorized use occurred and its root cause in a legally sufficient but more minimalist fashion, without in-depth critiques and recommendations that have historically helped companies mitigate legal risks and improve their long-term security posture.

Looking Ahead

Connecticut's Raised Bill No. 117 remains a proposal at this stage, but it is a significant one and potentially trendsetting. Connecticut has historically been at the forefront of data privacy and breach notification legislation, and the bill reflects an intent to supercharge the AG's tools for investigating large-scale breaches. It is unclear whether this legislation is truly necessary, given that companies are frequently subject to inquiries following regulatory notice of a large breach and typically cooperate with AG requests. It is also unclear whether unintended consequences of such legislation have been fully explored and considered.

If this bill is enacted, expect other states to enact similar requirements. Companies that experience large-scale breaches should begin evaluating now how mandatory forensic disclosure obligations could affect their incident response strategies, privilege frameworks and broader approach to cybersecurity governance. The bill, if passed, could mark a fundamental shift from a system in which forensic evidence is produced in response to legal process to one in which it is produced as a regulatory obligation, and the risks that come with that shift are significant.

Notes

¹ See proposed Conn. Gen. Stat. § 36a-701b(a)(2).

² See proposed Conn. Gen. Stat. § 36a-701b(i)(1)(B).

³ See Conn. Gen. Stat. § 36a-701b(b)(1); see also proposed Conn. Gen. Stat. § 36a-701b(i)(1)(B).

⁴ See proposed Conn. Gen. Stat. § 36a-701b(i)(2)-(3).