The two-year state budget approved in the last days of the 2019 legislative session included notable changes to the state's Insurance Data Security Law.
Under current law, carriers, pharmacy benefit managers, third party administrators, utilization review companies, and other entities licensed to carry out health insurance business were required to maintain and implement a written information security program to protect the personal information of the insured and enrollees.
The changes contain similar provisions to those suggested by the National Association of Insurance Commissioners insurance data security model law, making the requirements more comprehensive in nature.
The law now applies to all entities licensed under the insurance statutes, registered or authorized to operate in the state, or required to be licensed in the state.
The changes are contained in Section 230 of the budget bill (beginning on page 280 of the 580-page document), enacted as Public Act 19-117.
Such licensees must: (1) develop and implement assessment and information security programs to protect nonpublic information and; (2) investigate any cybersecurity events, defined as unauthorized access to the information system, and report them to the Connecticut Insurance Department commissioner within 72 hours, along with third parties.
Intuitively, nonpublic information refers to information that is not publicly available, not related to a person's age or gender.
Such information would include, any information that: materially impacts a licensee's business, operation or security if disclosed; is created or derived from a consumer or healthcare provider and concerns behavior, mental, or physical health, including healthcare services or payments; or concerns customer information such as a person's name, number, or other identifiable information that can pinpoint an individual when used in combination with other attainable information.
This definition of nonpublic information makes the law more expansive since the previous law only applied to personal information.
By October 1, 2020, licensees must develop, implement, and maintain a written information security program based on the risk assessment program relative to the licensee's complexity, size, nature and scope of business, as well as sensitivity to nonpublic data use and possession or control of such information.
The plan must define and provide for periodic evaluation of a nonpublic data retention schedule and mechanism for destroying it once the licensee no longer needs such information.
Additionally, the plan must be designed to protect against any hazards or threats to the integrity and security of the information system and confidentiality of the information, while also minimizing the likelihood of harm to consumers.
Risk Assessment Program
The changes to the law also require each licensee to operate a risk assessment program that: (1) designates an employee, affiliate, or outside vendor to develop, implement, and maintain an information security program; (2) identify any reasonably foreseeable internal and external threats; (3) assess the likelihood and potential damage of said threats; and (4) implement information safeguards.
After implementation, the licensee, on the basis of the risk assessment program, must continuously remain informed of emerging threats, utilize reasonable security measures, and provide employees with ongoing security awareness training.
If the licensee has a board of directors, then the board, or other executive management team, must require the licensee's executive management team or delegates, to develop, implement, and maintain the information security program, while also reporting annually on its status, compliance, and material matters.
By October 1, 2021, licensees must ensure that any third party service providers are in compliance with the law.
Incident Response Plan
The new law also requires a written incidence response plan designed to promptly respond to, and recover from, cybersecurity events that compromise the licensee's information systems, business operations, or confidentiality of nonpublic information.
As of February 15, 2021, and annually thereafter, domestic carriers have to submit a written statement to the state insurance commissioner certifying that the carrier has complied with the risk assessment and information security program provisions, while maintaining supporting documents for a minimum of five years.
Licensees must promptly investigate any suspected cybersecurity events to determine whether an event occurred.
Following a cybersecurity event, a licensee or third-party services provider has three business days to notify the commissioner if the carrier is domiciled in the state; or reasonably believes the nonpublic information involved in the cybersecurity event affects more than 250 people and the licensee is required to send notice to any regulatory or government body pursuant to federal or state law, or it's reasonably likely the cybersecurity event will materially harm any Connecticut consumer or the licensee's business.
Depending on the size of the business, the risk assessment phases in over time.
Between October 1, 2020, and September 30, 2021, the risk assessment requirements will not apply to licensees with fewer than 20 employees, including independent contractors.
As of October 1, 2021, these requirements will not apply to licensees with fewer than 10 employees, including independent contractors.
The bill also provides that the provisions set forth apply to licensees, but not their agents, designees, employees, or representatives, so long as they are covered by the licensee’s information security program.
A licensee may also be exempt from these requirements if they maintain an information security program in accordance with another jurisdiction's law or regulations.
It is important to note, that any licensee that establishes and maintains an information security program pursuant to Health Insurance Portability and Accountability Act compliance is deemed to have satisfied the requirements of the new law's risk assessment and information security program provisions.
Under the changes, the state insurance commissioner is granted power to investigate and examine a licensee in order to determine compliance with such provisions.
If there is reasonable belief that the licensee is in noncompliance, the commissioner must issue and serve the licensee with a statement of violation and notice of hearing.
The hearing will be held within 30 days of the notice being issued and will provide the licensee with the opportunity to show cause.
If the commissioner finds that the licensee is in noncompliance, the commissioner may take action against the licensee's license, registration, or authorization.
The commissioner also has the option to issue a fine up to $50,000 for each violation, of which an action may be brought in civil court to collect.
Any information or documentation obtained during the investigatory process will not be subject to the Freedom of Information Act, subpoena, or discovery.
Additionally, the changes do not create a private right of action or affect or limit an existing private right of action.