Connecticut Mandates Fast Breach Notification
A recent directive from the Connecticut Insurance Department requires all regulated entities in the state to notify the department of "any information security incident" within five calendar days of the incident being identified. The bulletin makes clear that the department intends to play an active role in resolution of data breaches in Connecticut.
A recent directive from the Connecticut Insurance Department requires all regulated entities in the state to notify the department of "any information security incident" within five calendar days of the incident being identified. The bulletin makes clear that the department intends to play an active role in resolution of data breaches in Connecticut.
"The Department will want to review, in draft form, any communications proposed to be made to affected insureds, members, subscribers, policyholders or providers advising them of the incident," the bulletin states. "Depending on the type of incident and information involved, the Department also will want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time."
Health care-related regulated entities that fall under the new directive include life and health insurers, health care centers, preferred provider networks, pharmacy benefit managers and medical discount plans, according to Bulletin IC-25, available here. Regulated entities also must report breaches by vendors and business associates, and the insurance department will oversee resolution of those breaches, as well.
The directive defines an information security incident as any unauthorized acquisition, transfer or access of personal health, financial and "personal information" as defined, whether or not encrypted. Personal information includes, among others, Social Security, driver's license, state identification card, account, credit/debit card, passport, alien registration and health insurance numbers. It does not include publicly available information lawfully made available to the general public.
"The Department understands and even expects that with the overwhelming amount of information obtained and maintained by all businesses that there will be at times information security incidents which are beyond the control of the best management practices," according to the bulletin. "The Department's concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information. The Department also wants to make sure that there is an opportunity for the Department to actively monitor the situation and guarantee those consumer protections throughout the process."
Consequently, the insurance department wants notification sent to the state to include information in 15 different areas, such as date and description of the incident, how it was discovered, the number of affected residents, the type of affected information, and whether a police report was filed.
--Joseph Goedert
"The Department will want to review, in draft form, any communications proposed to be made to affected insureds, members, subscribers, policyholders or providers advising them of the incident," the bulletin states. "Depending on the type of incident and information involved, the Department also will want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time."
Health care-related regulated entities that fall under the new directive include life and health insurers, health care centers, preferred provider networks, pharmacy benefit managers and medical discount plans, according to Bulletin IC-25, available here. Regulated entities also must report breaches by vendors and business associates, and the insurance department will oversee resolution of those breaches, as well.
The directive defines an information security incident as any unauthorized acquisition, transfer or access of personal health, financial and "personal information" as defined, whether or not encrypted. Personal information includes, among others, Social Security, driver's license, state identification card, account, credit/debit card, passport, alien registration and health insurance numbers. It does not include publicly available information lawfully made available to the general public.
"The Department understands and even expects that with the overwhelming amount of information obtained and maintained by all businesses that there will be at times information security incidents which are beyond the control of the best management practices," according to the bulletin. "The Department's concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information. The Department also wants to make sure that there is an opportunity for the Department to actively monitor the situation and guarantee those consumer protections throughout the process."
Consequently, the insurance department wants notification sent to the state to include information in 15 different areas, such as date and description of the incident, how it was discovered, the number of affected residents, the type of affected information, and whether a police report was filed.
--Joseph Goedert
More for you
Loading data for hdm_tax_topic #reducing-cost...