The Connecticut Insurance Department (the “Department”) issued Bulletin IC-25 (the “Bulletin”), dated August 18, 2010, to require all entities doing business in Connecticut that are licensed by or registered with the Department to notify the Department of any information security incident within five days of discovery.
Similar to bulletins issued by other state insurance departments, the Bulletin goes beyond the state breach notification statute. The requirements of the Bulletin are among the most aggressive of its kind, and will require insurance companies, producers and others to reconsider how they respond to data breaches.
In the event of an information security incident (defined below) involving a licensee or registrant of the Department, the Bulletin requires notice to the Department. For this purpose, licensees and registrants of the Department include the following: insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers and medical discount plans.
When and How Notice Must Be Provided
Licensees and registrants must notify the Department of any information security incident affecting any Connecticut resident as soon as the incident is identified, but no later than five calendar days after the incident is identified. Notification must be sent to the Insurance Commissioner in writing via first class mail, overnight delivery service or electronic mail.
Definition of Information Security Incident
As defined by the Bulletin, an information security incident is any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information (defined below), whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, that is maintained by a licensee or registrant of the Department, the loss of which could compromise or put at risk the personal, financial or physical well being of the affected individuals.
It is important to note that notice is required under the Bulletin even when the personal information involved was encrypted. This requirement stands in stark contrast to the data breach notification statutes of most U.S. jurisdictions, including Connecticut, where notice is not required when the data breach incident involves encrypted personal information.
Definition of Personal Health, Financial or Personal Information
Although the Bulletin does not define personal health, financial or personal information, the Bulletin cites section 42-471 of the Connecticut General Statutes, which defines “personal information” as follows:
[I]nformation capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public form federal, state or local government records or widely distributed media.
The Bulletin lists numerous facts that must be disclosed in the notification to the Department as is known at the time of notification, including details about the incident (e.g., dates, information involved and nature of incident), remedial actions taken, number of Connecticut residents affected and copies of the relevant privacy and data breach policies. The Department will also want to review draft notices to Connecticut residents affected by the information security incident before the licensee or registrant sends them to the affected residents.
Notification Regarding Vendor or Business Associate Incidents
Licensees and registrants of the Department must also report to the Department an information security incident involving a vendor or business associate of the licensee or registrant. The Department will want to be kept informed of how the licensee or registrant is managing the vendor’s/business associate’s activities.
Although particular remedial actions are not required under the Bulletin or the Connecticut data breach statute, the Bulletin expresses the Department’s intention to have input into the level of credit monitoring and insurance protection offered to affected individuals, and the period of time for which remedial actions are offered.
Implications of the Short Notice Period
Companies cannot wait until investigation of an incident is complete to provide notice to the Department pursuant to the Bulletin. Because of the specific content requirements for the notice and the five-day time limit, in most instances, companies will be reporting incomplete facts and will need to supplement their initial notices with additional information as it becomes available during investigation of the incident.
Notification to Other State Insurance Departments
The Connecticut Insurance Department is not the first insurance regulatory body to require notice in the event of a data breach. Insurance departments of other states, including Ohio, Rhode Island and Wisconsin, also require that their licensees and registrants provide notice following discovery of a data breach incident. It is only a matter of time before other state insurance departments begin issuing similar data breach notification requirements.
Ohio Insurance Bulletin 2009-12 requires insurers to provide notice to the Ohio Department of Insurance of loss of control of policyholder information within 15 calendar days after discovery of the loss of control if it involves more than 250 Ohio residents. Pursuant to Chapter 11 of Rhode Island Insurance Regulation 107, licensees of the Rhode Island Department of Business Regulation, which includes insurance companies and producers, must notify the department of a data breach in the most expedient time possible and without unreasonable delay. Similarly, the Wisconsin Office of the Commissioner of Insurance, under a bulletin dated December 4, 2006, requires insurers to notify the office no later than 10 days after it has become aware of unauthorized access to the personal information of insureds.
The Connecticut Insurance Department notice requirement is the most aggressive among the insurance departments due to the five-day timeframe and specific content requirements. To comply with the stringent requirements and avoid any penalties, insurance entities will need to revisit their information security and data breach response policies to ensure they have the proper protocols to prevent, detect, investigate and remediate data breach incidents.
The Bulletin is available here or at www.ct.gov/cid/lib/cid/Bulletin_IC_25_Data_Breach_Notification.pdf.