New law will require consumer breach notice within 90 days, identity theft protection for consumers,“kill switch” for smartphones, and implementation of data security programs for certain health providers, state agencies and contractors
And Connecticut makes eight.
On the heels of the largest health care insurance and government data breaches in history, including high-profile breaches caused by third party vendors, Connecticut enacted a law requiring health care insurers, government agencies, and third party vendors to meet stringent data security standards. On July 1, Connecticut Governor Dannel Malloy signed Public Act No. 15-142, “An Act Improving Data Security and Agency Effectiveness” (the Act), making Connecticut the eighth state to amend its data breach notification statute this year. The Act ratified a plethora of changes to the Constitution State’s data breach notification and information security requirements. It will require companies covered by the state’s data breach law to provide identity theft mitigation services to customers following a security incident, while requiring that certain enterprises – including health insurance providers and state contractors – and state agencies, develop detailed information security programs to protect personal information (PI) under their control. Businesses of every stripe should examine these changes and revise their data security and breach response procedures accordingly to ensure compliance with Connecticut’s newest data security mandates.
A myriad of changes for a host of businesses
Effective July 1, 2015, all contracts entered into between a state agency and a vendor to share “confidential information” must contain certain privacy and security measures. Among other obligations, state contractors must:
Effective July 1, 2015, the Secretary of the Connecticut Office of Policy and Management must, among other things, establish policies and procedures to ensure the security, privacy, and confidentiality of data collected and maintained by executive agencies.
Effective October 1, 2015, businesses subject to Connecticut’s data breach notification law will be required to do the following after discovering a security incident:
Effective Oct. 1, 2017, health insurers, heath care centers and other defined health entities must develop and maintain comprehensive information security programs to protect customer PI. These programs must be continuously updated, and incorporate the following:
Finally, effective July 1, 2016, until July 1, 2017, any smartphone sold in Connecticut must be enabled with a “kill switch” that renders the device inoperable at the request of the authorized user. This will allow a consumer, upon being notified of a breach, to protect PI and other confidential information that might otherwise be accessed without authorization as a result of the breach.