February 25, 2020

February 25, 2020

Subscribe to Latest Legal News and Analysis

February 24, 2020

Subscribe to Latest Legal News and Analysis

Connecticut Budget Includes Insurance Data Security Law

Section 230 of the Connecticut budget bill is called the “Insurance Data Security Law” and becomes effective October 1, 2019. It requires any insurance licensee, (anyone who is authorized or licensed and subject to the insurance laws) to implement an information security program by October 1, 2020. The requirements include the implementation and maintenance of a written information security program (WISP) based upon a risk assessment as well as administrative, technical and physical safeguards to protect non-public information.

The WISP must include a number of things, including employee training, a record retention program, a risk assessment process, an incident response process, and to “[N]ot less than annually assess the effectiveness of such licensee’s safeguards’ key controls systems and procedures.”

The requirements are similar to the New York Department of Financial Services cybersecurity regulations, and are lengthy and specific. We did not complete a word-for-word analysis, but it looks nearly identical to the New York requirements, including requiring oversight by the Board of Directors.

Pay attention to the details, such as the fact that when there is a cybersecurity event, notification must be made to the Commissioner within three business days. If an insurance licensee notifies an individual under the Connecticut breach notification law, the insurer must notify not only the individuals, but also the Connecticut Attorney General and the Insurance Commissioner, and has a “continuing obligation to update and supplement such information.”

The enforcement provisions allow for the Commissioner to do things like, “suspending, revoking or refusing to reissue or renew any license, certificate of registration or authorization to operate,” … and state that the Commissioner “impose a civil penalty of not more than fifty thousand dollars for each violation of the provision of this section.”

The bill also requires insurance licensees to offer 24 months of credit monitoring to affected individuals in the event of a data breach, which is consistent with the Connecticut data breach notification law.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...