This summer, Governor Malloy enhanced data protection for Connecticut residents by signing into law AN ACT IMPROVING DATA SECURITY AND AGENCY EFFECTIVENESS, Public Act No. 15-142, which addresses data security on a variety of fronts.
Existing laws generally require that anyone who conducts business in the state and who stores personal information must disclose a security breach without unreasonable delay to affected state residents and to the Attorney General. Failing to do so constitutes an unfair trade practice under CUTPA (the Connecticut Unfair Trade Practices Act). (CGS 36a-701b). Public Act No. 15-142 clarifies that the notice of a breach must be given within 90 days after the breach is discovered, and that identity theft protection and, if applicable, identity theft mitigation services, must be offered to victims.
Another provision of the new law is directed toward contractors that receive Confidential Information from a state agency under its contract. In addition to the breach notification and remediation required under CGS 36a-701b, Connecticut state contractors are now required to take specified precautions against data breaches, such as having an active data security program, limiting access to the information, and using preventive technology, etc., as well as having a breach investigation system in place. If a breach should occur (or is even suspected to have occurred), the contractor must report it to the agency as well as the AG’s office.
Confidential Information is defined to include most numbers that identify an individual these days in official and non-official settings: social security or other tax ID numbers, driver’s license numbers, passport numbers, etc.; but also health insurance ID numbers, financial account numbers, etc. “Confidential Information” also includes biometrics: images of fingerprints, retina scans, etc. For an add-on, the state agency can designate as ‘confidential’ any information it shares with the contractor beyond the statutory listing. As broad as the definition is, it expressly excludes information that is lawfully public.
Another provision of the law states that by October 2017, health insurers are required to implement and maintain a comprehensive information security program to safeguard the personal information these entities compile or maintain on insureds and enrollees. It specifies program requirements, requires that the program be updated at least annually, and requires the entities to offer at least one year of free identity theft prevention and mitigation services if a breach occurs.
The new law also establishes a directive for the Connecticut Office of Policy and Management to (1) develop a program to access, link, analyze, and share data maintained by state executive agencies and (2) respond to queries from state agencies, private entities, or others that would otherwise require access to data maintained by two or more executive agencies. This, hopefully, would make FOIA and other requests easier to submit and to respond to.
Public Act No. 15-142 has been criticized for setting forth a definition of Confidential Information that is overly broad, for requiring the use of certain technologies and effectively making others illegal (thus inhibiting innovation), and for adding on to reporting requirements already required by law (e.g., under HIPPA and FERPA), but it was supported by many, including Mark Raymond, Chief Information Officer, CT Dept. of Administrative Services, and Secretary of State Denise Merrill.