Preparing insurers for Connecticut’s new data security law
Connecticut Governor Ned Lamont on June 26 signed into law the state’s new Insurance Data Security Law (IDSL), implementing a new regime of information risk management and event-reporting requirements for insurance licensees.
When effective, the IDSL will affect the operations of all carriers, producers and other businesses licensed by the Connecticut Insurance Department (CID) but the impact will vary depending on an entity’s size, sophistication, volume of non-public data, sensitivity of data and reliance on third-party vendors.
The IDSL’s effective date was originally slated for this fall but has been postponed until October 1, 2020.
Having been prodded by the US Department of the Treasury in 2015, the National Association of Insurance Commissioners (NAIC) undertook a multi-year effort to draft model legislation establishing national, insurance-specific standards for data security. It quickly became apparent that consensus on an approach acceptable to regulators, consumer representatives and various sectors within the industry would be difficult to achieve.
At around the same time, New York’s Department of Financial Services (NYDFS) promulgated its cyber-security rules for insurers doing business in that state. With a significant portion of the industry having become subject to New York’s cyber-risk management and event notification rules, the NAIC’s drafting committee was able to conclude its work and the model act was adopted in October 2017. That model served as the basis for the IDSL.
The often-inscrutable workings of Connecticut’s General Assembly can become even more perplexing during the frenetic days leading up to annual adjournment. That may explain the seemingly odd locus of the new IDSL, submerged almost 300 pages deep within the state’s 2019 biennial budget act. As a result, it was little noted that when Lamont signed the budget into law, Connecticut had joined the handful of states to have – so far – adopted the NAIC’s data security model act.
In summary, the IDSL creates two broad areas of compliance concern: security measures and event reporting.
The first relates to new risk assessment, management and mitigation duties of covered licensees beginning in the fall of 2020. These include:
- The performance of regular risk assessments
- The designation of a responsible employee, such as a chief information security officer
- The maintenance of an information security program that is ‘commensurate’ with the size and complexity of the licensee’s operations and the nature of its activities.
Oversight by the licensee’s board of directors is mandated. Notably, licensees must require by October 2021 that appropriate security measures be implemented by any third-party service provider that possesses or controls non-public information.
An annual written certification must be filed with CID by each February 15. Effectiveness of the information security program provisions is delayed until October 2021 for small licensees (those with fewer than 20 employees) and there is a full exemption from those requirements for the smallest licensees (those with fewer than 10 employees).
Finally, exemptions from the IDSL’s risk management protocols are provided for those licensees already complying with the Health Insurance Portability and Accountability Act or with another state’s information security requirements, if approved under regulations to be adopted by CID.
The second broad area of compliance concern relates to a licensee’s handling of ‘cyber-security events,’ a term generally encompassing unauthorized access to non-public information or to an information system. If the IDSL’s reporting triggers are met, a Connecticut domestic insurer’s notice-giving obligations are bilateral, in that they flow both to the commissioner and to affected consumers.
What is new for insurance companies depends largely on the size and extent of the licensee’s insurance operation. Those with a national or regional scope are likely complying with the New York requirements already. For them, the IDSL should not create significant new compliance burdens, although they will need to report to CID annually.
On the other hand, Connecticut licensees not doing business in New York (and not otherwise exempt under the IDSL) will face material new duties relating to data risk assessment and management. Importantly, these new obligations will not be merely internal. They will also extend to licensees’ third-party service providers.
The IDSL also modifies the Connecticut legal landscape pertinent to data-security event reporting. Currently, every ‘regulated entity’ has a reporting obligation for any ‘information security incident’, with notice to be given to CID within five business days of discovery under the commissioner’s 2010 Bulletin IC-25. The IDSL reduces the reporting period to three business days, and it narrows the reporting requirement to domestic insurers and to producers whose home state is Connecticut.
It also adds new conditions to the obligation, requiring a report only if: (i) information of at least 250 consumers is involved in the event, and (ii) there is either some independent state or federal notice requirement or a reasonable likelihood of ‘material harm’ to a Connecticut consumer or to the licensee itself.
Although the IDSL’s effective date is delayed for 15 months, there are several steps licensees should consider taking at this point:
- Consider whether the entity has New York business sufficient to subject it to the NYDFS’ data security regulation, which is already in force. Compliance with New York’s regulations, if required, should be a top priority and should make complying with the IDSL much easier
- For licensees with more than 20 employees, begin preparatory work (inventory of data, assessment of risk, board oversight and approval of program) before the October 2020 deadline
- Ensure continuing cognizance of the obligation to investigate ‘information-security incidents’ and report to CID within five days under Bulletin IC-25, and be on the lookout for CID modifying or withdrawing that bulletin once the IDSL event-reporting regime becomes effective.
Connecticut’s IDSL addresses practices relating to security of data – whether in digital or physical form – that any well-managed insurance licensee ought to consider, if not already have in place. Licensees’ security officers and compliance professionals should review the new law’s provisions to ensure all technical requirements are being met.
In particular, Connecticut licensees should consider how best to comply with the demands the IDSL will impose with respect to oversight of third-party service providers, which may ultimately prove to be the new law’s most onerous impact.
Timothy Curry is a contract attorney with Day Pitney in Hartford, Connecticut. He rejoined the firm in June 2019 following a three-year term as Connecticut's deputy commissioner of insurance.