Governor Malloy recently signed into law S.B. 949, "An Act Improving Data Security and Agency Effectiveness" (available at https://www.cga.ct.gov/2015/act/pa/2015PA-00142-R00SB-00949-PA.htm). This new law updates Connecticut's data security law and adds significant new data security requirements for Connecticut businesses and State contractors. Here are some highlights, including some provisions that spring into effect this month:
All Connecticut Businesses
Effective October 1, 2015, subject to limited exceptions, any breach of a Connecticut resident's "personal information" triggers obligations to notify the affected person and the Connecticut Attorney General. "Personal information" includes an individual's first name or first initial and last name plus one or more of (1) a social security number; (2) a driver's license or state identification number; or (3) an account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. Notification must be made "without unreasonable delay", but no longer than ninety days from discovery of the breach. The law also requires the business to offer the affected person identity theft prevention services and, if applicable, identity theft mitigation services, for a period of at least twelve months free of charge.
Under the new law, State contracts must now include security provisions in written agreements with contractors that receive "confidential information," as defined by the particular agency. State contracts must require the contractor to:
- Protect all confidential information from breach at the contractor's own expense;
- Implement and maintain a comprehensive data-security program;
- Maintain confidential information on secured servers and drives, and not on any stand-alone computer or portable storage device.
Health Insurance Businesses
Effective October 1, 2017, new data security obligations are imposed on health insurers, health care centers, or other entities licensed to do health insurance business in Connecticut, pharmacy benefits managers, third-party administrators, and utilization review companies. The law requires these companies to "implement and maintain a comprehensive information security program to safeguard the personal information of insured and enrollees."
* * *
The Privacy & Data Security practice group is pleased to announce that Attorney Sherwin Yoder has been designated by the International Association of Privacy Professionals (www.iapp.org) as a Certified Information Privacy Professional / United States. The CIPP/US certification formally recognizes a professional's knowledge of federal and state laws and regulations governing collection and handling of personal information. Sherwin's training and education in this area means additional support for our clients who deal with protected health, financial and employment information, and who may need to assess and/or mitigate the risks of a data breach or wrongful disclosure.
For more information, please contact Arthur G. Schaier at (203) 575-2629, firstname.lastname@example.org or Sherwin M. Yoder, CIPP/US at (203) 784-3107, email@example.com, or any member of the Privacy & Data Security practice group.
- Liam S. Burke
- Jennifer A. Calcagni
- Matthew H. Gaul
- Damian K. Gunningsmith
- Mariella LaRosa
- Todd Michaelis
- Arthur G. Schaier
- Mark F. Williams