On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.”[1] The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.

Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification.[2] Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.

In addition, no later than October 1, 2017, health insurers, pharmacy benefit managers and certain other entities regulated by the Connecticut Insurance Department must implement and maintain a “comprehensive information security program” to protect personal information. While the requirements generally track HIPAA obligations that will likely already apply to these entities, the new requirements go further, for example by requiring encryption of all personal information transmitted on a public Internet network or wirelessly, encryption of all personal information stored on a portable device, specified secure authentication and access protocols, and imposition of disciplinary measures for employees who violate the security policies or procedures. Under the security program, the entities must also prevent terminated, inactive, or retired employees from accessing personal information.

New requirements with respect to state contractors will also take effect. Beginning in July 2015, state agencies must require in every written agreement that private contractors implement and maintain a “comprehensive data-security program.” Among other requirements, contractors will be prohibited from storing data on stand-alone devices (such as flash drives or laptop notebooks) unless expressly permitted to do so in the state contract, and contractors, not the State, must bear any added expense associated with implementing the data security program. In addition, the written agreement must stipulate how costs of data breach notification will be allocated between the state agency and the contractor.

With respect to enforcement, the Attorney General continues to have authority over data breach notification. The Act also newly empowers the Attorney General to bring civil suit against a contractor in breach of the new comprehensive data-security program law, while the Secretary of Office Policy and Management may require contractors to take additional security protections where the type and amount of information warrants such protection. With respect to health insurance entities, the Insurance Commissioner will enforce the new data security requirements.

Companies doing business in Connecticut or contracting with the State of Connecticut should carefully review the added data security and breach notification measures and consider whether revisions of current policies are necessary to comply with the state’s stringent new requirements.

Special thanks to Proskauer summer associate Krista L. White for her contributions to this post.

[1] S.B. 949 (Ct. 2015).

[2] “Statement from AG Jepsen on Final Passage of Data Breach Notification and Consumer Protection Legislation,” Connecticut Office of the Attorney General, http://ct.gov/ag/cwp/view.asp?A=2341&Q=566508 (last visited July 13, 2015).

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ellen H. Moskowitz Ellen H. Moskowitz

Ellen is a senior counsel in the Corporate Department and a member of the Health Care Group. She assists clients in the health care, life sciences, sports and non-profit industries.

Ellen advises on complex health care regulatory matters, health privacy and data security…

Ellen is a senior counsel in the Corporate Department and a member of the Health Care Group. She assists clients in the health care, life sciences, sports and non-profit industries.

Ellen advises on complex health care regulatory matters, health privacy and data security issues, and health-related labor and employment matters.  Her work with social services and charitable organizations particularly focuses on corporate governance matters.  Ellen’s clients are diverse, spanning hospital systems, physician groups and other health care providers and associations, health technology companies, social services and charitable organizations, professional sports leagues, pharmaceutical and medical device companies, private equity firms, health plans, health management companies, and tissue banks and organ procurement organizations.

Ellen is accredited by the International Association of Privacy Professionals as a certified information privacy professional in the U.S. private sector. She has written and lectured widely on health care law, policy and ethics.

Before joining Proskauer, Ellen was an associate for law with The Hastings Center, a private, nonpartisan education and research institute that examines ethical and policy issues in medicine, health and the environment. She also has served as associate counsel to the New York State Task Force on Life and the Law, a state law reform commission, where she helped to develop laws and regulations on care of the dying, organ transplantation and assisted reproduction.