Connecticut Becomes Latest State to Enact Insurance Data Security Law
Friday, August 2, 2019
CT Data Security Law
Print Mail Download i

On July 26, 2019, Connecticut Governor Ned Lamont signed into the law the state’s new Insurance Data Security Law, which imposes new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department (“CID”).  In doing so, Connecticut joins New York, South Carolina, Ohio, Michigan, and Mississippi as states that have enacted information security laws for insurance companies.  However, whereas the recent trend has been to follow the 2018 Model Act published by the National Association of Insurance Commissioners (“NAIC”), Connecticut largely followed the New York Department of Financial Services’ 2017 Cybersecurity Regulations.

The Connecticut law will require companies to maintain an information security program that is commensurate with the size and complexity of the size and complexity of the licensee’s operations; perform regular risk assessments; and designate a responsible individual to oversee the information security program.  The law also requires oversight by the licensee’s board of directors and annual certification of compliance to the CID.  Licensees will also have to report cybersecurity incidents to the CID within three business days.  The law is effective October 1, 2019, but gives licensees until October 1, 2020 to implement their security programs.

While the Connecticut law does not break new substantive ground, it is significant for two reasons.  First, Connecticut’s law demonstrates that states have not uniformly adopted the NAIC model over the NYDFS model.  And, while the NYDFS and NAIC models are similar, there are important differences in the details.  Second, regardless of which model is chosen, Connecticut’s law highlights the fact that insurance companies operating across multiple states will have different obligations, especially with respect to breach notification.  Accordingly, insurance licensees should ensure that they are staying abreast of developments and prepared to comply with the changing patchwork of laws and regulations.

Copyright © by Ballard Spahr LLP

Current Legal Analysis

More from Ballard Spahr LLP

FinCEN Deputy Director Stresses Technological Innovation, Virtual Currency Enforcement and the U.S. Culture of Compliance
by: Brian N. Kearney
The EU’s Efforts to Combat Money Laundering, the Financing of Terrorism and Corruption Seem to Overlook a Very American Approach: Prosecute People
by: Peter D. Hardy , Mary Treanor
California Legislature Adopts Five Amendments to CCPA, But Largely Rejects Industry Efforts
by: Gregory Szewczyk
Should the Financial Industry Be Detecting Future Mass Shooters?
by: Peter D. Hardy , Mary Treanor
Trump Administration to Discharge the Federal Student Loan Debt of Totally and Permanently Disabled Veterans
by: Stacy H. Rubin
FinCEN Advisory Highlights Money Laundering Risks Related to Fentanyl Trafficking
by: Terence M. Grugan
CFPB’s First Remittance Transfer Rule Enforcement Action
by: Bowen "Bo" Ranney , James Kim
FinCEN Announces New “Global Investigations Division” Focused on Foreign Money Laundering Threats
by: Peter D. Hardy
DOL Seeks to Improve Employers’ FMLA Forms
by: Brian D. Pedrow , David S. Fryman
The Federal Reserve’s Entry into Real-Time Payments
by: Christopher D. Ford , Judy Mok

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins