Section 230 of the Connecticut budget bill is called the “Insurance Data Security Law” and becomes effective October 1, 2019. It requires any insurance licensee, (anyone who is authorized or licensed and subject to the insurance laws) to implement an information security program by October 1, 2020. The requirements include the implementation and maintenance of a written information security program (WISP) based upon a risk assessment as well as administrative, technical and physical safeguards to protect non-public information.
The WISP must include a number of things, including employee training, a record retention program, a risk assessment process, an incident response process, and to “[N]ot less than annually assess the effectiveness of such licensee’s safeguards’ key controls systems and procedures.”
The requirements are similar to the New York Department of Financial Services cybersecurity regulations, and are lengthy and specific. We did not complete a word-for-word analysis, but it looks nearly identical to the New York requirements, including requiring oversight by the Board of Directors.
Pay attention to the details, such as the fact that when there is a cybersecurity event, notification must be made to the Commissioner within three business days. If an insurance licensee notifies an individual under the Connecticut breach notification law, the insurer must notify not only the individuals, but also the Connecticut Attorney General and the Insurance Commissioner, and has a “continuing obligation to update and supplement such information.”
The enforcement provisions allow for the Commissioner to do things like, “suspending, revoking or refusing to reissue or renew any license, certificate of registration or authorization to operate,” … and state that the Commissioner “impose a civil penalty of not more than fifty thousand dollars for each violation of the provision of this section.”
The bill also requires insurance licensees to offer 24 months of credit monitoring to affected individuals in the event of a data breach, which is consistent with the Connecticut data breach notification law.