Updates to State Data Security and Breach Notification Laws — Connecticut and Oregon
Last week, both Connecticut and Oregon amended their respective data security and breach notification laws that will now levy stricter requirements on entities that store or process personally identifiable information (“PII”) or health-related information. A full analysis of each bill is below.
Connecticut (S.B. 949)
Under the new law, Connecticut will require breached entities to provide notice to individuals within 90 days of discovering a breach, although the law provides for delayed notification if the entity requires additional time to complete an investigation of the breach. If a breach exposes Social Security numbers, Connecticut will also require breached entities to offer a year of complementary identity theft prevention and mitigation services, and the notifications must include information on signing up for these services, as well as information on placing a credit freeze.
These breach notice provisions will go into effect on October 1, 2015.
Data Security Requirements for State Contractors
The law will also impose new data security requirements on entities that contract with state agencies (“contractors”). If a contractor receives “confidential information” — defined to include information such as name, date of birth, government-issued identification number, financial information, and any information designated as confidential — from a state agency, the contract must require the entity to implement and maintain a “comprehensive data-security program,” including the use of security policies, annual reviews of such policies, access restrictions, and mandatory security awareness training for employees. Additionally, Connecticut will require contractors to maintain confidential information on secure servers and drives behind firewall protections and monitored by intrusion detection software. The law will prohibit contractors from storing confidential information “on stand-alone computer or notebook hard disks or portable storage devices,” unless the contract provides otherwise and sufficient security measures are in place.
In the case of a breach, the contractor must notify the state contracting agency and the state Attorney General “as soon as practicable” following the discovery of the breach, and submit a report detailing the breach or why the contractor believes no breach occurred. Each contract must include a proposed timeline for submitting such a report, as well as describe how the cost of breach notification and investigation will be apportioned between the contractor and state agency. If a breach exposes education records — as defined by the federal Family Educational Rights and Privacy Act — the contractor can be subject to a five-year ban on receiving such information.
These state contractor provisions will go into effect on July 1, 2015.
Data Security Requirements for Health Insurance Industry
The law also requires health insurance entities (including health insurers, health care centers, pharmacy benefits managers, third-party administrators, and utilization review companies) to implement, maintain, and update annually a “comprehensive information security program” to protect personal information — defined to include protected health information, government-issued ID numbers, biometric data, and financial information. For example, the information security program must include specific access controls including multi-factor authentication, encryption of confidential information in transit on the public Internet, employee education programs, risk assessments, on-boarding procedures, imposition of disciplinary measures on employees for violating the policies or procedures, and oversight of vendor data security contracts.
Under penalty of perjury, companies must certify annually to the Connecticut Insurance Department that they have complied with these requirements. The new law grants the Connecticut Insurance Commissioner authority to enforce these provisions, although the bill does not outline what penalties may apply.
These health insurance industry provisions will go into effect on October 1, 2017.
Smartphone “Kill Switches”
The law requires all “smartphones” offered for sale in Connecticut to include hardware or software (which can be downloadable upon initial activation) that allows an authorized user to render the “essential features” of the phone inoperable to an unauthorized user. Connecticut defines “smartphone” as any “mobile voice communications handset device” that includes all of the following features:
(1) A mobile operating system,
(2) the capability to utilize software applications, access and browse the Internet, utilize text messaging, utilize digital voice service and send and receive electronic mail,
(3) wireless network connectivity, and
(4) the capability of operating on a long-term evolution network or on any successor wireless data communication standard.
Connecticut excludes “a telephone commonly referred to as a ‘feature’ or ‘messaging’ telephone, a laptop computer, a tablet device or a device that only has electronic reading capability” from the definition.
These smartphone provisions will go into effect on July 1, 2017.
Oregon (S.B. 601)
Under the new law, Oregon expands the definition of “personal information” — which, in addition to the previous requirements, will require mandatory notification of individuals whose compromised information includes a full name and one of the following:
 Data from the automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction [also known as biometrics];
 A consumer’s health insurance policy number or subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or
 Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.
The bill requires entities to notify, in writing or electronically, the Oregon Attorney General following a breach involving more than 250 residents, and the notification must be made “in the manner described” for individual notifications. The bill also requires consumer notifications to include “[a]dvice to the consumer to report suspected identity theft to law enforcement, including the [Oregon] Attorney General and the Federal Trade Commission.”
Lastly, the bill adds an exception to the individual notification requirements for covered entities as defined by the federal Health Insurance Portability and Accountability Act, provided that the covered entity sends a copy to the Oregon Attorney General of the notice it provides to its primary federal regulator. In addition to the penalties under the state’s preexisting data breach notification law — including injunctive relief and penalties of up to $1,000 per violation and capped at $500,000 — the bill defines violations to be unlawful trade practices. As a result, a prosecutor can seek injunctions and — for willful violations — civil penalties of up to $25,000 per violation.
These provisions will go into effect on January 1, 2016.