Connecticut Amends Breach Notification Law Regarding Timing and Credit Monitoring; Imposes New Data Security Requirements on Health Insurers and State Contractors

New legislation out of Hartford means that Connecticut joins Massachusetts in imposing strict state requirements for data protection.  S.B. 949. Additionally, the new law amends Connecticut’s data breach notification law, making Connecticut the first in the nation to affirmatively require entities that experience a reportable data breach to offer free credit monitoring to residents affected by the breach. The legislation further imposes significant new requirements on health insurers, as well as contractors that receive confidential information from state agencies, to maintain minimum data security protections. While health insurers have until 2017 to come into full compliance, the requirements for state contractors are effective as of July 1, 2015.

Breach Notification and Remediation Requirements for All Businesses

The new data security law amends Connecticut’s general breach notification law to require all businesses—including health insurers—that conduct business in Connecticut and maintain personal information of its residents to offer one year of free identity theft prevention services to Connecticut residents whose information was breached or is reasonably believed to have been breached. Businesses must also provide affected residents—along with the Connecticut Attorney General—with notice within ninety days after discovery of a breach. While a handful of states set strict limits on when consumers must be notified of a breach, Connecticut would be the first state to require entities to provide identity theft protection services. (Although California provides that if credit monitoring is provided, it must be provided free of charge for at least 12 months.)

Data Security Requirements for Health Insurers and Related Entities

Section five of the new law, effective October 1 of this year with full compliance required by October 1, 2017, applies to any entity licensed to do health insurance business in Connecticut. Section five also applies to related entities involved in the business of health insurance, such as pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies.

These regulated entities—“insurers” for short—must create a “comprehensive information security program” to safeguard enrollees’ personal information. Because each security program must be “appropriate” in light of the company’s business, its resources, and the sensitivity of the data to be protected, compliance will not be a one-size-fits-all matter. But all security programs must meet certain minimum standards.

Insurers must encrypt personal information while it is transmitted wirelessly or on a public network, and must encrypt any personal information stored on a portable device. Personal information stored on internet-accessible systems must be protected by security measures including firewalls and anti-malware.

Insurers must also implement controls on who may access personal information, along with authentication and monitoring protocols to ensure that only authorized users gain access. Insurers must restrict access to only those individuals who require it to do their jobs, and must monitor their systems for breaches of security. Authorized users must be verified by either multifactor authentication—with one factor being a reasonably secure password—or by unique identifiers such as biometrics or security tokens. The law requires passwords to be reset regularly, and stored in a secure location and format.

The law also creates important obligations that will affect insurers’ relationship with their employees and contractors. Each security program must include employee policies and procedures for personal information security, and insurers must discipline employees who violate these procedures. Notably, the law also makes insurers’ responsible for overseeing third parties with which they share personal information. Insurers may only share information with third parties that are capable of implementing safeguards consistent with the law, and must require those third parties to actually implement the safeguards. When contracting with a vendor, insurers should be careful to preserve their ability to oversee the vendor’s data security practices, and should carefully consider the risk and costs of a potential data breach when selecting vendors in the first instance.

Compliance with the new Connecticut law will be an ongoing commitment, as insurers will be required to continually monitor and reevaluate the risks that they face, their strategy for controlling those risks, and the overall sufficiency of their security programs.

Data Security Requirements for State Contractors

Finally, section one of the Connecticut data security law, effective July 1 of this year, mandates that every contract under which a state agency shares confidential information require the contractor to implement and maintain a comprehensive data security plan for the protection of that information. Each security plan must comply with the law’s minimum requirements and is implemented at the contractor’s expense. The state may mandate stricter requirements where appropriate Section two of the law authorizes the Office of Policy and Management to require additional or alternate security measures if warranted by the circumstances.

The minimum requirements for state contractors are generally similar to—but somewhat less particular than—those imposed on health insurers. For example, contractors are specifically required to store confidential information on secure servers and drives, behind a firewall, monitored by intrusion detection software. Notably, contractors require the approval of the state contracting agency to store confidential information on external hard disks or removable storage media. And contractors must report any actual or suspected data breaches to the state as soon as practical following discovery. State laws imposing such granular requirements are relatively uncommon; states tend to require at most that companies take “reasonable” precautions to protect confidential information.

Businesses that work with the State of Connecticut should consider these new requirements at every stage of the contracting process. Companies that want to contract with the state should evaluate whether their current IT infrastructure will comply with the law’s requirements, and their business plans should account for the cost of compliance; both with initial technological standards and ongoing monitoring requirements.