On July 1, 2015, Connecticut’s governor signed into law Public Act No. 15-142, An Act Improving Data Security and Agency Effectiveness (the “Act”), that (1) amends the state’s data breach notification law to require notice to affected individuals and the Connecticut Attorney General within 90 days of a security breach and expands the definition of personal information to include biometric data such as fingerprints, retina scans and voice prints; (2) affirmatively requires all businesses, including health insurers, who experience data breaches to offer one year of identity theft prevention services to affected individuals at no cost to them; and (3) requires health insurers and contractors who receive personal information from state agencies to implement and maintain minimum data security safeguards. With the passing of the Act, Connecticut becomes the first state to affirmatively require businesses to provide these security services to consumers.
A brief summary of the data security requirements for health insurers and state contractors is set forth below:
The new legislation requires health insurers and related entities (including pharmacy and third-party benefits administrators) to:
- create a comprehensive information security program to safeguard individuals’ personal information;
- encrypt personal information being transmitted or while stored on a portable device;
- implement security measures to protect personal information stored on Internet-accessible devices;
- implement access controls and authentication measures to ensure that access to personal information is limited only to those who need it in connection with their job function; and
- ensure that employees and third parties comply with data security requirements.
These requirements are effective October 1, 2015, but health insurers have until October 1, 2017, to come into full compliance.
Additionally, the Act requires that contracts between a state agency and a contractor authorizing the contractor to receive personal information include terms and conditions requiring the contractor to implement data security measures to protect the relevant personal information. The minimum data security requirements for contractors are substantially similar to the requirements for health insurers listed above, but also include additional requirements that the contractor:
- obtain approval from the contracting state agency to store data on removable storage media; and
- report any suspected or actual breaches of the personal information to the state as soon as practical after discovery.
The section pertaining to state contractors is effective July 1, 2015.