Connecticut ACT Concerning Insurance Data and Information Security
Section 230 of the Connecticut budget bill is called the “Insurance Data Security Law”; Connecticut now requires registered entities to have an Information security and Cyber security program similar to New York’s Department of Financial Services (NYDFS). Section 230 became effective as of October 1, 2019, and the information security program must be implemented by no later than October 1, 2020. The purpose of this section 230 is to establish standards for data and information security for persons licensed and required to be licensed by the Insurance Commissioner, require licensees to notify the commissioner following cybersecurity events and require the commissioner to investigate such events.
The requirements include the implementation and maintenance of a Written Information Security Program (WISP) based upon a risk assessment as well as administrative, technical and physical safeguards to protect non-public information: Board of Directors oversight, policies, procedures and safeguards, risk management program included risk assessment, risk evaluation, risk mitigation of internal and external systems, and third parties vendor/suppliers, cybersecurity awareness training, encryption of data in transit and at rest, multifactor authentication, and continuous monitoring to identify unauthorized access to, or unauthorized alteration, destruction, disclosure, misuse or transmission of, nonpublic information. Speak with an expert.
Section 230 affects Insurance Companies, and third parties Auto Insurance
· Life Insurance
· Business Insurance
· Recreational Insurance
· Umbrella Insurance
· Financial Insurance
· Health & Long Term Care Insurance
· Flood Insurance
· Health Insurance
· Homeowners Insurance
· Insurance companies suppliers
Breach & Cyber Event Notification
Cybersecurity event, the notification must be made to the Commissioner within three business days. If an insurance licensee notifies an individual under the Connecticut breach notification law, the insurer must notify not only the individuals, but also the Connecticut Attorney General and the Insurance Commissioner, and has a “continuing obligation to update and supplement such information.”
Enforcement of Section 230
The enforcement provisions allows the Commissioner permission to , “suspend revoke or refuse to reissue or renew any license, certificate of registration or authorization to operate,” … and states that the Commissioner can impose a civil penalty of not more than fifty thousand dollars for each violation of the provision of this section.
The bill also requires insurance licensees to offer 24 months of credit monitoring to affected individuals in the event of a data breach, which is consistent with the Connecticut data breach notification law.