Connecticut Imposes New Data Security Obligations

New law will require consumer breach notice within 90 days, identity theft protection for consumers,“kill switch” for smartphones, and implementation of data security programs for certain health providers, state agencies and contractors

And Connecticut makes eight. On the heels of the largest health care insurance and government data breaches in history, including high-profile breaches caused by third party vendors, Connecticut enacted a law requiring health care insurers, government agencies, and third party vendors to meet stringent data security standards. On July 1, Connecticut Governor Dannel Malloy signed Public Act No. 15-142, “An Act Improving Data Security and Agency Effectiveness” (the Act), making Connecticut the eighth state to amend its data breach notification statute this year. 

The Act ratified a plethora of changes to the Constitution State’s data breach notification and information security requirements. It will require companies covered by the state’s data breach law to provide identity theft mitigation services to customers following a security incident, while requiring that certain enterprises – including health insurance providers and state contractors – and state agencies, develop detailed information security programs to protect personal information (PI) under their control. Businesses of every stripe should examine these changes and revise their data security and breach response procedures accordingly to ensure compliance with Connecticut’s newest data security mandates.

A myriad of changes for a host of businesses

Effective July 1, 2015, all contracts entered into between a state agency and a vendor to share “confidential information” must contain certain privacy and security measures. Among other obligations, state contractors must:

• Protect confidential information from being breached;
• Implement and maintain a comprehensive data security program to protect confidential information provided by a state agency;
• Limit access to confidential information only as necessary to complete the contracted services;
• Maintain confidential information on secured servers and drives;
• As soon as practical, alert both the state contracting agency and the Connecticut Attorney General of a breach.

Effective July 1, 2015, the Secretary of the Connecticut Office of Policy and Management must, among other things, establish policies and procedures to ensure the security, privacy, and confidentiality of data collected and maintained by executive agencies. Effective October 1, 2015, businesses subject to Connecticut’s data breach notification law will be required to do the following after discovering a security incident:

• Provide consumer notice no later than 90 days after discovering a breach, unless earlier notice is required under federal law; and
• Offer identity theft prevention and, if applicable, identity theft mitigation services to affected residents, at no cost to those residents, for at least twelve months.
• The consumer notification must also include information about how a resident can place a credit freeze on their credit file.

Effective Oct. 1, 2017, health insurers, heath care centers and other defined health entities must develop and maintain comprehensive information security programs to protect customer PI. These programs must be continuously updated, and incorporate the following:

• Secure computer and Internet user authentication protocols (including measures such as multifactor authentication);
• Secure access control measures (including access restriction protocols; PI encryption requirements; security breach monitoring; up-to-date software security and updates; and security awareness training for employees);
• Designation of one or more employees to oversee the security program;
• Security risk identification, assessment, and mitigation strategies;
• Development of PI security policies and procedures for employees – including discipline for lack of compliance with such policies and procedures;
• Oversight of third party vendors;
• Restrictions on physical access to PI;
• Mandatory post-breach incident reviews; and
• Other safeguards the covered health entity thinks will enhance its information security program.

Finally, effective July 1, 2016, until July 1, 2017, any smartphone sold in Connecticut must be enabled with a “kill switch” that renders the device inoperable at the request of the authorized user. This will allow a consumer, upon being notified of a breach, to protect PI and other confidential information that might otherwise be accessed without authorization as a result of the breach.