Connecticut Passes Insurance Data Security Law

As part of the budget bill, Connecticut passed a law that more comprehensively addresses data security and is similar to the model law for insurance data security from the National Association of Insurance Commissioners.  The law took effect on October 1, 2019.  Its provisions apply to individuals or entities licensed or authorized under the insurance statutes (“licensees”) and requires the implementation of a written information security program (“WISP”) to protect nonpublic information.  If there is any unauthorized access to information systems or nonpublic information, the licensee must notify the insurance commissioner within three business days and perform an investigation. If there is unauthorized access to nonpublic information, this new law, like other state law requirements, mandates that the licensee notify those affected.

Licensees have one year from the effective date to implement a WISP based on a risk assessment and designed to protect against hazards or threats to information systems and nonpublic information.  Notably, licensees with fewer than 10 employees (including independent contractors with access to nonpublic information) do not have to comply with the WISP requirement.  Licensees with fewer than 20 employees have an extra year, until October 1, 2021, to comply with the WISP requirements. Further, licensees subject to and compliant with HIPAA’s Privacy and Security Rule requirements are deemed to have satisfied the risk assessment and WISP provisions of the new law.

The complexity and scope of the WISP must be commensurate with the licensee’s operations and the types of data the licensee maintains.  The law requires the consideration of numerous security measures as part of the risk assessment and risk management process.  A written incident response plan must also be part of the WISP. For a more detailed summary of the law, see the Office of Legislative Research’s Public Act Summary beginning on page 89.