On July 20, 2020, the Connecticut Insurance Department issued a bulletin to licensees reminding them that the Connecticut Insurance Data Security Law (“Act”) becomes effective on October 1, 2020 and providing guidance on compliance.
The Act requires “all persons who are licensed, authorized to operate or registered, or required to be licensed, authorized or registered pursuant to the insurance laws of Connecticut” to “develop, implement and maintain a comprehensive written information security program (“ISP”) that complies with” the Act “not later than October 1, 2020.” The Act generally applies to domestic insurers and health care centers, with some exemptions.
The Act requires the licensee’s ISP to be based upon a risk assessment “and contain safeguards for the protection of nonpublic information and the licensee’s information systems commensurate with the size and complexity of the licensee, its activities, including use of third-party services providers, and the sensitivity of the nonpublic information used by the licensee or in its possession, custody or control.”
The bulletin reminds that unless a licensee is exempted, the licensee must perform due diligence on its third-party service providers and require those third-party service providers to implement appropriate administrative, technical and physical measures to protect the information disclosed to the third-party service provider by the licensee. Although not specified in the bulletin, licensees may wish to consider documenting such measures through security questionnaires and written contractual obligations.
All licensees (except for those licensees exempt from the law) must provide written confirmation to the Insurance Commissioner on February 15, 2021 and annually thereafter certifying that it is in compliance with the Act. Documentation of plans for material improvements, updates or remedial efforts must be maintained by the licensee and be “available for inspection by the Insurance Department.”
The bulletin outlines in detail the obligations of licensees following a cybersecurity attack or event. Similar to the New York Department of Financial Services Cybersecurity Regulations, the Act requires licensees to notify the Insurance Commissioner “as promptly as possible, but in no event later than three (3) business days after the date of the cybersecurity event” if the licensee is domiciled in the State of Connecticut or the licensee believes that the event involves more than 250 residents of the State of Connecticut and notification to individuals is required by state or federal law or the licensee believes that the event has “a reasonable likelihood of materially harming any consumer residing in Connecticut….” The notification will be through the Insurance Commissioner’s website and will be available by October 1, 2020.
The bulletin reminds licensees that it has the power to examine and investigate compliance with the Act and to impose penalties for noncompliance. Nonetheless, the bulletin states that because of COVID-19, the Department “intends to exercise appropriate discretion in evaluating the facts and circumstances of a licensee’s compliance…and in the imposition of sanctions for noncompliance.” The bulletin further states that the Department will not impose sanctions against a licensee if it fails to file its annual certification of compliance by February 15, 2021 as long as the certificate of compliance is filed by April 15, 2021. However, if a licensee is unable to file the certification on a timely basis due to COVID-19, the licensee “is urged to contact the Insurance Department Market Conduct Division to explain why it is unable to file by the deadline.
Licensees may wish to consider prioritizing compliance with the Act now and develop and implement its ISP to be ready for both the October 1, 2020 compliance deadline, and the February 15, 2021 certification deadline.