The Connecticut Insurance Department (“Department”) issued Bulletin IC-25 (the “Bulletin”), dated August 18, 2010, to require all entities doing business in Connecticut that are licensed by or registered with the Department to notify the Department of any information security incident.
Who Must Provide Notice
All licensees and registrants of the Department must provide notice, including insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers and medical discount plans.
When and How Notice Must Be Provided
Licensees and registrants must notify the Department of any information security incident affecting any Connecticut resident as soon as the incident is identified, but no later than five calendar days after the incident is identified. Notification must be sent to the Insurance Commissioner in writing via first class mail, overnight delivery service or electronic mail.
Definition of Information Security Incident
The Department considers an information security incident to be any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, that is maintained by a licensee or registrant of the Department, the loss of which could compromise or put at risk the personal, financial or physical well being of the affected individuals.
Definition of Personal Health, Financial or Personal Information
Although the Bulletin does not define personal health, financial or personal information, the Bulletin cites section 42-471 of the Connecticut General Statutes, which defines “personal information” as follows:
[I]nformation capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public form federal, state or local government records or widely distributed media.
The Bulletin lists numerous facts that must be disclosed in the notification to the Department as is known at the time of notification, including the details about incident and remedial actions taken. Notice to the Department must also contain a draft of the notice the licensee or registrant intends to send to Connecticut residents affected by the information security incident.
Notification Regarding Vendor or Business Associate Incidents
Licensees and registrants of the Department must also report to the Department an information security incident involving a vendor or business associate of the licensee or registrant. The Department will want to be kept informed of how the licensee or registrant is managing the vendor’s/business associate’s activities.
Although credit monitoring is not required under the Bulletin or the Connecticut data breach statute, the Bulletin expresses the Department’s intention to have input into the level of credit monitoring and insurance protection offered to affected individuals, and the period of time for which remedial actions are offered.