In June, Connecticut’s governor signed into law Senate Bill 949 which amended the State’s breach notification statute. The requirement that covered businesses must provide one year of identity theft protection services for certain breaches, easily the most popular aspect of the legislation, may have diverted attention from some significant aspects of this new law. Senate Bill 949 established expansive data security requirements for entities contracting with state agencies and entities in the health insurance and administration business (e.g., health insurance insurers, pharmacy benefits managers, and third-party administrators).
Contractors Must Implement a Data Security Program
Entities that have contracts with the state and receive “confidential information” from state agencies are required to implement and maintain a “comprehensive data-security program,” including the use of security policies, annual reviews of such policies, access restrictions, and mandatory security awareness training for employees beginning July 1, 2015.
Some of the requirements include:
-
Policies must restrict access to confidential information only to authorized employees.
-
There must be security and breach investigation procedures.
-
The data security program must be reviewed annually.
-
When applicable, contractors must provide the state Attorney General and the contracting agency a report detailing breaches or suspected breaches, including mitigation plans or why the contractor believes no breach occurred.
-
Contractors cannot store confidential information on stand-alone computers or notebooks or portable storage devices, such as USB drives. This provision has limited exceptions.
-
Contractors may not copy, reproduce, or transmit confidential information except as necessary to complete the contracted services.
Because of the way many businesses perform their services today (e.g., utilizing flash drives and allowing employees to work from home, perhaps with their own computers), the new mandates may require significant changes in current practices. Contractors that are “business associates” of a state agency as defined under HIPAA may have to do more than comply with the HIPAA privacy and security regulations, and should revisit their HIPAA policies and procedures to ensure compliance with the state mandates. The contracts themselves also could impose additional security obligations.
Health Insurance Businesses Must Step Up Data Security
Beginning October 1, 2017, any health insurer, health care center, pharmacy benefits manager, third-party administrator, utilization review company, or entity that is licensed to do health insurance business in Connecticut must implement and maintain a “comprehensive information security program to safeguard the personal information of insureds.” Examples of the safeguards the program must include are:
-
secure computer and Internet user authorization protocols;
-
secure access control measures that include, but are not limited to, restriction of access to personal information only to those who require such data to perform their job duties, passwords that are not default passwords and are reset at least every six months, encryption of all personal information while being transmitted on a public Internet network or wirelessly, encryption of all personal information stored on a laptop computer or other portable device, and monitoring of company security systems for breaches of security;
-
designation of one or more employees to oversee the security program;
-
identification and assessment of reasonably foreseeable internal and external risks to the security of the personal information; and
-
annual review of the scope of the secure access control measures.
Many of these entities either are covered entities or business associates under HIPAA. They should take note, however, that some of these new requirements could go beyond basic HIPAA regulatory mandates. For example, the Connecticut law requires passwords be changed at least every six months. The Connecticut law also requires encryption of all personal information while being transmitted on a public Internet network or wirelessly and when stored on a laptop or other portable device. Beginning October 1, 2017, covered health insurance businesses must certify annually to the Insurance Department, under penalty of perjury, that they maintain a comprehensive information security program that complies with the law’s requirements.
Implications
Businesses covered by the new requirements must take stock of their current operations, policies, and procedures to determine whether they are in compliance. The law also has implications beyond the businesses to which it applies directly. Consider professional service providers working with covered state contractors or health insurance businesses. Their services might involve the need to access the same confidential information triggering these requirements. These and similarly situated businesses will need to be prepared.
Getting compliant will take time and only after careful assessment and analysis. Turning this task over entirely to the company’s “IT guy” is likely not the best approach. The role of IT is no doubt critical, but these mandates require consideration of administrative and physical safeguards, as well as technical safeguards. They envision careful assignment of access to personal data based on particular need. They seek broad awareness of the safeguards throughout an organization that is accomplished through training and other measures. They mandate incident response planning, a function involving key decision makers in an organization so they know what to expect and their responsibilities in the event of a breach. They require organizations to obligate their third-party service providers to adhere to similar standards. In short, they contemplate a wholesale, enterprise-wide, regularly reviewed approach to securing confidential information that changes and develops with the organization.