Day Pitney remains committed to providing quality legal counsel, while protecting our clients and employees, and transforming our communities into more just, equal and equitable spaces. For more information, please visit our COVID-19 Resource Center | Racial Justice and Equity Task Force.

×
×
About Day Pitney Careers News Client Access

Insights

Publications Events

Connecticut's Insurance Department Issues Tough Notice Requirement for Data Breaches

Publisher: Day Pitney Alert
September 13, 2010
Day Pitney Author(s) James E. Bowers

Following on the heels of Health Net's recent settlement with the Connecticut Attorney General for alleged failure to secure medical records and financial information and promptly notifying consumers and regulators of the breach,[1] the Insurance Department issued a bulletin on August 18, 2010 mandating immediate notification to the Department of data breaches by licensees and registrants of the Department.[2] The new insurance bulletin addresses the delayed notification concern by providing that the Insurance Department may impose administrative penalties on licensees and registrants that fail to quickly and affirmatively notify the Department and consumers of the risks posed by a data breach.

Triggering Event

The triggering event requiring notification is the occurrence of an "information security incident." Such an incident is defined as

"any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers."[3]

The definition of information security incident is noteworthy for its breadth of coverage. First, unlike Connecticut's breach notification statute, whose application is limited to electronic files, media, databases, or computerized data,[4] the Insurance Department's bulletin covers paper and other hard-copy media as well. Second, the breach notification statute does not apply to a breach involving encrypted data;[5] The Department's bulletin applies to encrypted data. And third, the breach notification statute excuses notification if federal, state and local law enforcement agencies concur that the breach will not likely result in harm to individuals;[6] the Department's bulletin contains no such exception.

Although the bulletin covers a breach involving "personal information," those words are not defined. Interestingly, Connecticut adopted a statute a couple of years ago that imposes safeguarding and disposal requirements on persons who possess "personal information" belonging to third parties.[7] In that statute, personal information is defined to include Social Security numbers, drivers' license numbers, state identification card numbers, account numbers, credit or debit card numbers, passport numbers, alien registration numbers, and health insurance identification numbers. This list is not exhaustive, however. Personal information is any "information capable of being associated with a particular individual through one or more identifiers."[8] Perhaps the Insurance Department will refer to that statute for guidance.

Notification Requirement

Any information security incident that affects any Connecticut resident must be reported in writing to the Insurance Department as soon as the incident is identified, but not later than five (5) calendar days after the incident is identified. Notification should include as much of the following as is known:

  • Date of the incident
  • Description of the incident (how information was lost, stolen, breached)
  • How the incident was discovered
  • Whether lost, stolen or breached information has been recovered, and if so, how
  • Whether individuals involved in the incident (both internal and external) have been identified
  • Whether a police report has been filed
  • Type of information lost, stolen or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records, etc.)
  • Whether information was encrypted
  • Time period covered by lost, stolen or breached information
  • Number of Connecticut residents affected
  • Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed
  • Identification of remedial efforts being undertaken to cure the situation that permitted the information security incident to occur
  • Copies of the licensee/registrant's privacy and data breach policies
  • Regulated entity contact person for the Department to contact regarding the incident
  • Other regulatory or law enforcement agencies notified (who, when)

The Insurance Department will want to review, in draft form, any communications proposed to be made to affected parties advising them of the incident. And depending on the type of incident and information involved, the Department also will want to have discussions regarding the level of credit monitoring and insurance protection that the Department will require to be offered to affected consumers and for what period of time.

Finally, it is the responsibility of the licensee or registrant to report information security incidents at or by its vendors or business associates that have the potential to affect personal health, financial or personal information of a Connecticut insured, member, subscriber, policyholder, or provider.

If you have questions about the Insurance Department's bulletin, please contact one of the lawyers listed above, members of Day Pitney's Data Protection Task Force. The Task Force continually monitors privacy and data security legislation and regulations in all states and counsels clients on all aspects of privacy and data security laws, including providing the following services:

  • Developing and reviewing privacy and information security policies;
  • Advising on the design and implementation of data security programs;
  • Performing privacy and data security audits;
  • Assisting clients in responding to data breaches, including implementing required notifications; and
  • Representing clients in connection with governmental and nongovernmental investigations regarding privacy and data security practices.

[1] Connecticut Attorney General's Office, Press Release, Attorney General Announces Health Net Settlement Involving Massive Security Breach Compromising Private Medical and Financial Info (July 6, 2010).

[2] State of Connecticut Insurance Department, Bulletin IC - 25 (August 18, 2010).

[3] Id.

[4] Conn. Gen. Stat. §36a-701b (January 1, 2006).

[5] Id.

[6] Id.

[7] Conn. Gen. Stat. § 42-471 (October 1, 2008).

[8] Id.

Download
Recommended
Day Pitney Hosts Annual Palm Beach Family Office Forum

Day Pitney hosted its annual invitation-only Palm Beach Family Office Forum at the PGA National Resort and Spa.

May 10 and 11, 2022
PGA National Resort and Spa
New 72-Hour Cyber Incident Notice Requirement for Critical Infrastructure Entities
March 18, 2022

Day Pitney Alert

This Is Not a Drill
March 4, 2022

Day Pitney Alert

New Russia Sanctions Require Immediate Compliance Review
February 25, 2022

Day Pitney Alert

Connecticut Enhances Data Breach Notification Law
June 25, 2021

Day Pitney Alert

Movers & Shakers
March 28, 2022

The arrival of Cybersecurity and Data Protection Partner William J. Roberts was featured in Hartford Business Journal.

In Elite Company: Announcing 2022's Connecticut Legal Awards Honorees
March 22, 2022

Day Pitney Partners William J. Roberts and Christopher F. Droney were both selected as recipients of the Distinguished Leaders Award in the 2022 Connecticut Legal Awards, sponsored by the Connecticut Law Tribune.

Attorney William J. Roberts Joins Day Pitney's Hartford Office
March 18, 2022

The arrival of William J. Roberts was featured in The Valley Press.

The Mega Metaverse Round-Up For Lawyers
March 10, 2022

Cybersecurity and Data Protection practice chair and Counsel Steven A. Cash was quoted in Above The Law's whitepaper, "The Mega Metaverse Round-Up For Lawyers."

Day Pitney Expands Connecticut Cyber Practice
March 9, 2022

The arrival of William J. Roberts was featured in Cybersecurity Law Report. Roberts is based in Hartford, CT, where he focuses on helping clients develop and implement data security systems and processes.
New Jersey Hartford Stamford Greenwich New Haven West Hartford Boston
New York Washington, DC Providence Boca Raton Miami West Palm Beach

This website may use cookies, pixel tags and other passive tracking technologies, including Google Analytics, to improve functionality and performance. For more information, see our Privacy Policy. By using our website, you are consenting to our use of these tracking technologies. You can alter the configuration of your browser to refuse to accept cookies, but if you do so, it is possible that some areas of web sites that use cookies will not function properly when you view them. To learn more about how to delete and manage cookies, refer to the support instructions for each browser (e.g., see AllAboutCookies.org). You may locate Google Analytics' currently available opt-outs for the web here.

This website may use cookies, pixel tags and other passive tracking technologies, including Google Analytics, to improve functionality and performance. For more information, see our Privacy Policy. By using our website, you are consenting to our use of these tracking technologies. You can alter the configuration of your browser to refuse to accept cookies, but if you do so, it is possible that some areas of web sites that use cookies will not function properly when you view them. To learn more about how to delete and manage cookies, refer to the support instructions for each browser (e.g., see AllAboutCookies.org). You may locate Google Analytics' currently available opt-outs for the web here.