Connecticut Budget Includes Insurance Data Security Law
Thursday, July 11, 2019
Insurance Data Security Law Connecticut

Related Practices & Jurisdictions
Print Mail Download i

Section 230 of the Connecticut budget bill is called the “Insurance Data Security Law” and becomes effective October 1, 2019. It requires any insurance licensee, (anyone who is authorized or licensed and subject to the insurance laws) to implement an information security program by October 1, 2020. The requirements include the implementation and maintenance of a written information security program (WISP) based upon a risk assessment as well as administrative, technical and physical safeguards to protect non-public information.

The WISP must include a number of things, including employee training, a record retention program, a risk assessment process, an incident response process, and to “[N]ot less than annually assess the effectiveness of such licensee’s safeguards’ key controls systems and procedures.”

The requirements are similar to the New York Department of Financial Services cybersecurity regulations, and are lengthy and specific. We did not complete a word-for-word analysis, but it looks nearly identical to the New York requirements, including requiring oversight by the Board of Directors.

Pay attention to the details, such as the fact that when there is a cybersecurity event, notification must be made to the Commissioner within three business days. If an insurance licensee notifies an individual under the Connecticut breach notification law, the insurer must notify not only the individuals, but also the Connecticut Attorney General and the Insurance Commissioner, and has a “continuing obligation to update and supplement such information.”

The enforcement provisions allow for the Commissioner to do things like, “suspending, revoking or refusing to reissue or renew any license, certificate of registration or authorization to operate,” … and state that the Commissioner “impose a civil penalty of not more than fifty thousand dollars for each violation of the provision of this section.”

The bill also requires insurance licensees to offer 24 months of credit monitoring to affected individuals in the event of a data breach, which is consistent with the Connecticut data breach notification law.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

The Department of Education Releases Significant Revisions to Title IX Regulations
by: Kathleen E. Dion , Seth B. Orkand
Privacy Tip #394 – Colorado Amends Privacy Law to Include Neurodata
by: Linn F. Freedman
New Threat: Scattered Spider International Coalition of Hackers
by: Linn F. Freedman
Joint Guidance Published by Five Eyes on Deploying AI Systems Securely
by: Linn F. Freedman
U.S. Government Intervenes in Case Alleging Unauthorized Disclosure of CUI
by: Data Privacy & Cybersecurity Robinson Cole
DoorDash Settles with California Attorney General for Alleged Violations of the CCPA
by: Kathryn M. Rattigan
The State of AI Governance and Diversity: Takeaways from the AI Index Report
by: Blair V. Robinson
Weight Loss, Miracle Medications & the Workplace
by: Abby M. Warren
Additional States Implement Notice Requirements for Healthcare Transactions
by: Leslie J. Levinson , Danielle H. Tangorre
Privacy Tip #393 – Phishing, Smishing, Vishing and Qrishing Schemes Continue to Dupe Users
by: Linn F. Freedman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins