Perhaps prompted by revelations that one or more Connecticut-based insurers failed to notify individuals or report known data security incidents or breaches until weeks, or even months, after the data had been lost or stolen, the state's Insurance Commissioner has issued stringent new reporting obligations applicable to all entities regulated by the Connecticut Department of Insurance (CDI), including, for example, insurers, agents, brokers, adjusters, health maintenance organizations, preferred provider networks, discount health plans and certain consultants and utilization review companies. In a bulletin published August 18, 2010, the Insurance Commissioner cites its authority to "protect the public interest" under various insurance statutes in the state, as well as authority under Conn. Gen. Stat. § 42-471, the state's personal information protection law, to define an "information security incident" and require notification to the Department of Insurance of such incidents.
Under the CDI bulletin, a regulated entity must report an information security incident as soon as the incident is identified, but not later than five calendar days after the incident is identified. This period is perhaps the shortest data security breach notice requirement of any state in the nation, surpassing California which requires notification within five business days. The notification requirement also necessitates that a regulated entity report any information security incident at or by a vendor or business associate of the regulated entity which has the potential of affecting personal health, financial or personal information of a Connecticut insured, member, subscriber, policyholder or provider.