Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

An Overview of Connecticut SB 1103 : An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy

Contributors

Anas Baig

Product Marketing Manager at Securiti

Adeel Hasan

Sr. Data Privacy Analyst at Securiti

CIPM, CIPP/Canada

Listen to the content

Introduction

On June 7, 2023, Connecticut Governor Ned Lamont signed Senate Bill No. 1103 – An Act Concerning Artificial Intelligence, Automated Decision-Making and Personal Data Privacy, a landmark law that will increase the transparency and accountability of the state government's use of AI and automated decision-making tools.

Sections 1 to 3 of the law took effect on July 1, 2023, Section 4 became effective on October 1, 2023, and Section 5 took effect upon the passage of the Act.

Definitions of Key Terms

1. Artificial Intelligence

‘Artificial Intelligence (AI)’ means:

A. an artificial system that:

  1. performs tasks under varying and unpredictable circumstances without significant human oversight or can learn from experience and improve such performance when exposed to data sets,
  2. is developed in any context, including, but not limited to, software or physical hardware, and solves tasks requiring human-like perception, cognition, planning, learning, communication or physical action, or
  3. is designed to:
    1. think or act like a human, including, but not limited to, a cognitive architecture or neural network, or
    2. act rationally, including, but not limited to, an intelligent software agent or embodied robot that achieves goals using perception, planning, reasoning, learning, communication, decision-making or action, or
  4. a set of techniques, including, but not limited to, machine learning, that is designed to approximate a cognitive task.

B. State Agency

‘State Agency’ means each department, board, council, commission, institution or other agency of the Executive Department of the state government, provided each board, council, commission, institution or other agency included by law within any given department shall be deemed a division of that department. The term also includes:

  1. the offices of the Governor, Lieutenant Governor, Treasurer, Attorney General, Secretary of the State and Comptroller, and
  2. all operations of an Executive Department agency that are funded by either the General Fund or a special fund.

Obligations of the Department of Administrative Services

Under the law, the Department of Administrative Services (DAS) was required to conduct an inventory of all artificial intelligence-based systems used by any state agency by December 31, 2023, and must continue to do so annually. For each of these systems, each such inventory must have at least the following details:

  • The name of such system and the vendor, if any, that provided such system;
  • A description of the general capabilities and uses of such a system;
  • Whether such a system was used to independently make, inform or materially support a conclusion, decision, or judgment; and
  • Whether such a system underwent an impact assessment before implementation.

The DAS is also required to make every completed inventory publicly accessible on the state's open data site. Furthermore, from February 1, 2024, the DAS began performing ongoing assessments of systems that employ AI and are in use by state agencies to ensure that no such system:

  1. results in any unlawful discrimination against any individual or group of individuals, or
  2. has any unlawful disparate impact on any individual or group of individuals on the basis of any actual or perceived differentiating characteristic, including, but not limited to, age, genetic information, color, ethnicity, race, creed, religion, national origin, ancestry, sex, gender identity or expression, sexual orientation, marital status, familial status, pregnancy, veteran status, disability or lawful source of income.

The DAS must perform the assessments in accordance with the policies and procedures established by the Office of Policy and Management (OPM).

Obligations of the Office of Policy and Management

Beginning February 1, 2024, the OPM was required to develop and establish policies and processes regarding the development, procurement, implementation, utilization, and continuous assessment of AI systems used by state agencies. Such policies and procedures must, at the very least, include policies and procedures that:

  • Govern the procurement, implementation and ongoing assessment of such systems by state agencies;
  • Are sufficient to ensure that no such system:
    • results in any unlawful discrimination against any individual or group of individuals, or
    • has any unlawful disparate impact on any individual or group of individuals based on any actual or perceived differentiating characteristic, including, but not limited to, age, genetic information, color, ethnicity, race, creed, religion, national origin, ancestry, sex, gender identity or expression, sexual orientation, marital status, familial status, pregnancy, veteran status, disability or lawful source of income;
  • Require a state agency to assess the likely impact of any such system before implementing such system; and
  • Provide for the DAS to perform ongoing assessments of such systems to ensure that no such system results in any unlawful discrimination or disparate impact.

The OPM must also post the policies and procedures on the office’s website, including any revisions.

Furthermore, from February 1, 2024, no state agency has been allowed to implement any system that employs AI:

  • unless the state agency has conducted an impact assessment to ensure that such a system won't have any adverse impacts or result in unlawful discrimination; and
  • if the head of such state agency determines that such a system will result in any unlawful discrimination or disparate impact.

Obligations of the Judicial Department

Beginning December 31, 2023, and annually thereafter, the Judicial Department (JD) is required to conduct an inventory of all its systems that employ AI. Every completed inventory must be made publicly accessible on the department's website.

From February 1, 2024, the JD has also been required to create policies and practices governing the department's development, procurement, implementation, utilization, and continuing assessment of its systems that employ AI.

Such policies and procedures must, at the very least,

  • Govern the JD’s procurement, implementation and ongoing assessment of such systems;
  • Be sufficient to ensure that no such system:
    • results in any unlawful discrimination against any individual or group of individuals, or
    • has any unlawful disparate impact on any individual or group of individuals based on any actual or perceived differentiating characteristic, including, but not limited to, age, genetic information, color, ethnicity, race, creed, religion, national origin, ancestry, sex, gender identity or expression, sexual orientation, marital status, familial status, pregnancy, veteran status, disability or lawful source of income;
  • Require the JD to assess the likely impact of any such system before implementing such system; and
  • Provide for the JD to perform ongoing assessments of such systems to ensure that no such system results in any unlawful discrimination or disparate impact.

The JD must also post the policies and procedures, including any revisions, on the office’s internet website.

Furthermore, from February 1, 2024, the JD has:

  • Not been allowed to implement a system that employs AI unless:
    • the state agency has conducted an impact assessment to ensure that such a system won't have any adverse impacts or result in unlawful discrimination; or
    • if the head of such state agency determines that such a system will result in any unlawful discrimination or disparate impact.
  • Perform ongoing assessments of its systems that employ AI to ensure that no such system results in unlawful discrimination or adverse impact on any individual or a group of individuals.

General Obligation for State Agencies

No state contracting agency has been allowed to engage in any contract with a business on or after October 1, 2023, unless such contract contains a provision requiring the business to comply with all applicable provisions of the Connecticut Data Privacy Law (CTDPA) - Sections 42-515 to 42-525 of the General Statutes of Connecticut.

Establishment of a Working Group

The law establishes a working group to engage stakeholders and experts to:

  • Make recommendations concerning and develop best practices for the ethical and equitable use of AI in state government;
  • make recommendations concerning the policies and procedures;
  • assess the White House Office of Science and Technology Policy's "Blueprint for an AI Bill of Rights" and similar materials and make recommendations concerning the following:
    • regulation of the use of AI in the private sector based, among other things, on the said blueprint, and
    • adoption of a Connecticut AI bill of rights based on a said blueprint; and
  • make recommendations concerning the adoption of other legislation concerning AI.

The working group was required to submit a report on its conclusions and suggestions to the joint standing committee of the General Assembly by February 1, 2024. The working group ceased to exist on the day it submitted the report or on February 1, 2024, whichever was later.

Key Takeaways for Businesses

If your organization deals in AI-based solutions and engages or intends to engage in business with the Connecticut state government, it must ensure the following:

    • Understand the scope of the CTDPA and make efforts to be in compliance with its provisions;
    • Conduct internal or external assessments of your AI solutions to ensure that none of them results in:
      • Unlawful discrimination against the consumers under the federal or states laws; and
      • An adverse impact on the individuals on actual or perceived differentiating characteristics; and
    • Prepare your organization to assist your customers who are government agencies to comply with the impact assessment obligations under the law.
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
View More
Getting Ready for the EU AI Act: What You Should Know For Effective Compliance
Securiti's whitepaper provides a detailed overview of the three-phased approach to AI Act compliance, making it essential reading for businesses operating with AI.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
View More
Unlock Amazon Q’s Full Potential with Secure, Governed Data
Learn how robust DSPM can help secure Amazon Q data access, automate sensitive data tagging, eliminate ROT data, and maximize AI productivity safely.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New