Jul 22015

Connecticut Amends Breach Notification Law Regarding Timing and Credit Monitoring; Imposes New Data Security Requirements on Health Insurers and State Contractors

Marci Rozen, Gabriel Schonfeld, Anna Spencer, Colleen Theresa Brown and Andrew R. Holland
, , , , ,

New legislation out of Hartford means that Connecticut joins Massachusetts in imposing strict state requirements for data protection.  S.B. 949. Additionally, the new law amends Connecticut’s data breach notification law, making Connecticut the first in the nation to affirmatively require entities that experience a reportable data breach to offer free credit monitoring to residents affected by the breach. The legislation further imposes significant new requirements on health insurers, as well as contractors that receive confidential information from state agencies, to maintain minimum data security protections. While health insurers have until 2017 to come into full compliance, the requirements for state contractors are effective as of July 1, 2015.

Breach Notification and Remediation Requirements for All Businesses

The new data security law amends Connecticut’s general breach notification law to require all businesses—including health insurers—that conduct business in Connecticut and maintain personal information of its residents to offer one year of free identity theft prevention services to Connecticut residents whose information was breached or is reasonably believed to have been breached. Businesses must also provide affected residents—along with the Connecticut Attorney General—with notice within ninety days after discovery of a breach. While a handful of states set strict limits on when consumers must be notified of a breach, Connecticut would be the first state to require entities to provide identity theft protection services. (Although California provides that if credit monitoring is provided, it must be provided free of charge for at least 12 months.)

Data Security Requirements for Health Insurers and Related Entities

Section five of the new law, effective October 1 of this year with full compliance required by October 1, 2017, applies to any entity licensed to do health insurance business in Connecticut. Section five also applies to related entities involved in the business of health insurance, such as pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies.

These regulated entities—“insurers” for short—must create a “comprehensive information security program” to safeguard enrollees’ personal information. Because each security program must be “appropriate” in light of the company’s business, its resources, and the sensitivity of the data to be protected, compliance will not be a one-size-fits-all matter. But all security programs must meet certain minimum standards.

Insurers must encrypt personal information while it is transmitted wirelessly or on a public network, and must encrypt any personal information stored on a portable device. Personal information stored on internet-accessible systems must be protected by security measures including firewalls and anti-malware.

Insurers must also implement controls on who may access personal information, along with authentication and monitoring protocols to ensure that only authorized users gain access. Insurers must restrict access to only those individuals who require it to do their jobs, and must monitor their systems for breaches of security. Authorized users must be verified by either multifactor authentication—with one factor being a reasonably secure password—or by unique identifiers such as biometrics or security tokens. The law requires passwords to be reset regularly, and stored in a secure location and format.

The law also creates important obligations that will affect insurers’ relationship with their employees and contractors. Each security program must include employee policies and procedures for personal information security, and insurers must discipline employees who violate these procedures. Notably, the law also makes insurers’ responsible for overseeing third parties with which they share personal information. Insurers may only share information with third parties that are capable of implementing safeguards consistent with the law, and must require those third parties to actually implement the safeguards. When contracting with a vendor, insurers should be careful to preserve their ability to oversee the vendor’s data security practices, and should carefully consider the risk and costs of a potential data breach when selecting vendors in the first instance.

Compliance with the new Connecticut law will be an ongoing commitment, as insurers will be required to continually monitor and reevaluate the risks that they face, their strategy for controlling those risks, and the overall sufficiency of their security programs.

Data Security Requirements for State Contractors

Finally, section one of the Connecticut data security law, effective July 1 of this year, mandates that every contract under which a state agency shares confidential information require the contractor to implement and maintain a comprehensive data security plan for the protection of that information. Each security plan must comply with the law’s minimum requirements and is implemented at the contractor’s expense. The state may mandate stricter requirements where appropriate Section two of the law authorizes the Office of Policy and Management to require additional or alternate security measures if warranted by the circumstances.

The minimum requirements for state contractors are generally similar to—but somewhat less particular than—those imposed on health insurers. For example, contractors are specifically required to store confidential information on secure servers and drives, behind a firewall, monitored by intrusion detection software. Notably, contractors require the approval of the state contracting agency to store confidential information on external hard disks or removable storage media. And contractors must report any actual or suspected data breaches to the state as soon as practical following discovery. State laws imposing such granular requirements are relatively uncommon; states tend to require at most that companies take “reasonable” precautions to protect confidential information.

Businesses that work with the State of Connecticut should consider these new requirements at every stage of the contracting process. Companies that want to contract with the state should evaluate whether their current IT infrastructure will comply with the law’s requirements, and their business plans should account for the cost of compliance; both with initial technological standards and ongoing monitoring requirements.

 

 

Marci Rozen

mrozen@sidley.com

Gabriel Schonfeld

gschonfeld@sidley.com

Anna Spencer

aspencer@sidley.com

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Andrew R. Holland

New York

aholland@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).