CONNECTICUT STATE CONTRACTORS – NEW DATA BREACH LAW

Tegan Blackburn

Our blog this month highlights some important changes to Connecticut’s data breach notification statute with important new security requirements for anyone doing business with the state. (Public Act No.15-142, “An Act Improving Data Security and Agency Effectiveness –  “the Act”.)” State contractors must comply with this new law by October 1, 2017. The Act includes some important new requirements and a few modifications to existing laws regulating personal information.  These comprehensive new security requirements include mandatory security training, certifications and agency oversight. (See What’s Required of Contractors below.)

Briefly, the Act will:

  • impose extensive new security requirements on contractors that provide goods or services to the State of Connecticut;
  • require health insurers and certain other entities subject to the jurisdiction of the Department of Insurance to implement a comprehensive information security program;
  • modify the existing Connecticut breach notification law;
  • address state agency data security and data exchange practices; and
  • add new security requirements for smartphones sold to Connecticut purchasers.

This new law applies to all state contractors, health insurers and entities subject to Department of Insurance oversight, which may have access to personal, health or other confidential information.

What’s Required of State Contractors?

In every agreement where a state contracting agency may need to share personal information (PII), protected health information (PHI) or other confidential information (CI) with a contractor, the contractor must:

  1. take precautions to prevent a data breach;
  2. implement and maintain a comprehensive data security program to protect confidential information provided by a state agency;
  3. limit access to confidential information only as necessary to complete the contracted services;
  4. maintain confidential information on only secured servers or devises; and
  5. Alert both the state contracting agency and CT Attorney General of an actual or suspected data breach.

Contractors are required to have a data security program including:

  1. security policies for all employees to protect any personal, health or confidential information accessed, used, stored or transported;
  2. reasonable restrictions on accessing confidential information;
  3. at least once annually, policies and security measures must be evaluated and updated; and
  4. All employees with access to confidential information must be given security awareness training provided by the state contracting agency.

Important New Requirements for Security Breach Notifications

Many other federal and state laws already require many of the security protections required by this new law, however, not all laws are consistent and this law is intended to provide additional protections to state residents, as well as provide clearer breach notification requirements.

Data breach notification under this new law requires:

  • Notices must be provided to the consumers no later than 90 days after discovering a breach, unless shorter time notice is required under federal law; and
  • Notices must include an offer that includes identity theft prevention and, if applicable, identity theft mitigation services to affected residents, at no cost to those residents, for at least one year.
  • The consumer notification must also include information about how to enroll in the service and how to place a credit freeze on their credit file.

Comprehensive Information Security Program:

By October 1, 2017, any person or entity subject to the Act must have a comprehensive information security program in place to safeguard the PII, PHI or CI of insured or enrollees. Also, each company must certify annually to the Insurance Department demonstrating it maintains a program in compliance with the Act. The Attorney General and Insurance Commissioner will have oversight authority under the new law and may also request a copy of a company’s program to determine compliance.

The program requirements apply to every:

  1. health insurer, HMO, and other entity licensed to write health insurance in CT;
  2. pharmacy benefits manager;
  3. third-party administrator that administrates health benefits; and
  4. utilization review company.  Just like many of its federal counter-parts, such as health and finance laws like HIPAA and GLBY, each Security Program must be reviewed at least once annually, be in writing and include appropriate administrative, technical, and physical safeguards to protect data.

Of note is the additional provision prohibiting sales of new smartphone models in CT unless it has hardware or software that enables authorized user to disable smartphone’s essential feature.

Lastly, and very importantly, the Attorney General has the authority to investigate potential violations by State contractors and bring civil actions for violations.  So compliance and enforcement must be taken seriously.  The Act also empowers Department of Insurance to enforce the information security program requirements for health insurers and other entities subject to the information security requirements. State Department of Education can ban a contractor from receiving access to education records for up to five years if a breach involves the contractor’s access to education records.

_______________________________________________________________________________

In additional to our firm’s general counsel services advising diverse industry clients on a wide range of day-to-day legal and business matters, we have extensive expertise advising clients on best practices for avoiding cyber threats; and if the worse should occur, have extensive, hands-on experience guiding clients through the critical steps that must be taken to respond to security incidents and data breaches.  We welcome your inquires on this important subject and how our firm can help you avoid these risks.