On June 4, 2018, the Governor signed into law Public Act 18-90, An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies (the “Act”), likely in reaction to the Equifax breach among many others.  The title of the Act leaves little to the imagination as to its subject matter.

This Act, designed to protect consumers, contains a number of protections for consumers with regard to credit agencies.  First, it eliminates the fee consumers must pay to credit agencies to place and remove security freezes.  Second, while the credit agencies previously had to act on these requests no later than five days for a security freeze and three days for the removal of a security freeze, now, the credit agencies must act on them as soon as practicable, but no later than those time frames.   Third, credit agencies cannot require a consumer to enter into any sort of agreement limiting claims he/she may have against the credit agency, as a condition of placing a security freeze.

Additionally, the Act requires that in the event of a breach that involves Social Security Numbers, businesses must provide identity theft protection to consumers for a period of twenty-four months rather than twelve months.  Anecdotally, this has been the practice of the Connecticut AG office; however, now the legislature codified it as law.  Staying on the topic of breaches, the Act also contains a mandate to the Banking Commissioner to adopt regulations that require credit agencies to provide a dedicated point of contact following a data breach and report certain financial information associated with identity theft protection and mitigation services.



Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.