On February 26, Bill No. 1024, titled "An Act Concerning the Security of Consumer Data," was introduced in the Insurance Committee of the Connecticut General Assembly. The bill requires health insurers, healthcare centers (a particular type of health insurer under Connecticut law that is akin to an HMO) and "other entities licensed to do health insurance business in Connecticut," pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies to implement data security technology that encrypts the personal information of insureds and enrollees compiled or maintained by the entity. The phrase "other entities licensed to do health insurance business in Connecticut" is undefined in the legislation and has the potential to be construed broadly, thereby effectively expanding the universe of entities to which this legislation could be deemed to apply.
The bill defines "encrypt" as "the transformation of electronic data into a form in which meaning cannot be assigned without the use of a confidential process or key." The term "personal information" is defined to mean an individual's first name or initial and last name in combination with one or more of the following: Social Security number, driver's license number or other state identification number, address, or identifiable health information. The bill requires the Connecticut Commissioner of Insurance to promulgate regulations, in consultation with the Connecticut Commissioner of Consumer Protection, to establish minimum data security standards and to implement the requirements of the bill.
The data security technology requirements must be implemented no later than two years after the effective date of the bill, and entities subject to the law will be required to update their technology as necessary to ensure compliance with the requirements.
Bill No. 1024, which is modeled in part on a similar New Jersey data encryption law passed in January, was introduced by Connecticut State Senate Democrats in the aftermath of the Anthem Health Insurance data breach in early February. According to arelease by State Senate Democrats, Anthem is one of Connecticut's largest health insurers and the data breach impacted more than 1.1 million people in the state.
Like the New Jersey law, the Connecticut legislation mandates the use of encryption but is silent as to other measures that insurers can or should take to make it more difficult for attackers to access the systems containing the encrypted information. It remains to be seen how the legislation will evolve as it makes its way through the Connecticut legislative process.