The Connecticut Insurance Department Bulletin on Breach Notification

Think there's nothing new in the world of state breach notification laws and regulations?  Think again.  On a Wednesday in August, the State of Connecticut Insurance Department issued Bulletin IC-25 to all regulated entities in Connecticut, including insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans, requiring that ALL licensees and registrants notify the Department of any information security incident which affects any Connecticut residents.  This is in addition to, and goes beyond, the existing breach notification requirements under Conn. Gen Stat. 36a-701(b).  The procedural requirements set forth in the Bulletin are extensive, detailed, and will require covered organizations to act VERY quickly when they learn of a  potential incident.  Following are the basics:
 

• How does the Connecticut Insurance Department define "information security incident"?

The Bulletin defines "information security incident" very broadly to include

any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

The requirement that covered organizations provide notice, even where the information is encrypted, is contrary to Connecticut's existing breach notification law and to most of the 46 state breach notification statutes, the majority of which provide a safe harbor from notice to organizations that encrypt covered information (according to the definitions of encryption set forth in each particular statute).  These safe harbors for encrypted data in most state laws are designed to incentivize organizations to put in place safeguards such as encryption to protect data such that it cannot be read or reconstructed in the event of an incident.  As the Connecticut Insurance Department itself recognizes in the Bulletin, "with the overwhelming amount of information obtained and maintained by all businesses[, . . .] there will be at times information security incidents which are beyond the control of the best management practices."  Thus, it is strange that the the Department does not exempt organizations from notification requirements when the organization has taken steps to implement best practices and appropriate controls such as encryption.

• When do I have to provide notice to the Insurance Commissioner?

Immediately.  Really.  Covered organizations must notify the Department of an information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five (5) calendar days after the incident is identified. 

You read that correctly - five (5) calendar days.  This is one of the shortest (if not THE shortest) notification timeframes on the books, outdoing even California's statutory five business day breach notice requirement for clinics, health facilities, home health agencies, and hospices reporting to the State Department of Public Health and to affected individuals (California Health & Safety Code section 1280.15).

• What should be included in the notice to the Insurance Commissioner?

Once again, the Connecticut Insurance Department goes beyond existing state laws, stating that notification should include as much the following as is known:

1. Date of the incident;
    
2. Description of incident (how information was lost, stolen, breached);
    
3. How discovered?;
    
4. Has lost, stolen, or breached information been recovered? If so, how?;
    
5. Have individuals involved in the incident (both internal and external) been identified?;
    
6. Has a police report been filed?;
    
7. Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc);
    
8. Was information encrypted?;
    
9. Lost, stolen or breached information covers what period of time?;
    
10. How many Connecticut residents affected?;
     
11. Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed;
     
12. Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur;
     
13. Copies of the licensee's/registrant's Privacy Policies and Data Breach Policy;
     
14. Regulated entity contact person for the Department to contact regarding the incident (someone who is both familiar with the details and able to authorize actions for the licensee or registrant); and
     
15. Other regulatory or law enforcement agencies notified (who, when).

• How should notice be sent?

Notice must be sent to the Insurance Commissioner via first class mail, overnight delivery service or electronic mail.  (Given the five calendar day notice requirement, organizations should strongly consider electronic mail as a first step to ensure notice arrives in time).

• Can I notify the affected individuals first?

No.  The Connecticut Insurance Department wants to review the draft notices to individuals before they go out.  the Bulletin states as follows:

The Department will want to review, in draft form, any communications proposed to be made to affected insureds, members, subscribers, policyholders or providers advising them of the incident. Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time. 

The Department Market Conduct Division has the responsibility for monitoring the activities associated with any information security incident and will contact the designated licensee or registrant contact for additional information as necessary and to set up a monitoring process. . . .

• Do I have to notify the Connecticut Insurance Department if one of my vendors is responsible for a breach?

Yes.  The Bulletin provides that an information security incident at or by a vendor or business associate of a licensee or registrant, which has the potential of affecting personal health, financial, or personal information of a Connecticut insured, member, subscriber, policyholder or provider of a licensee or registrant, should be reported by the licensee or registrant to the Department.  The Department also states that it will want to be kept informed of how the licensee or registrant is managing the vendor's activities and what protections and remedies are being put in place by the vendor for the Connecticut consumers.

• Does the Insurance Commissioner intend to enforce these requirements?

Yes.  The Bulletin states that "some situations may warrant imposition of administrative penalties by the Department."

•  How can I avoid an enforcement action?

The Bulletin urges licensees and registrants to follow the procedures set forth in the Bulletin (and described above) to minimize the potential for administrative penalties being imposed.

• Does the Connecticut Insurance Department have authority to impose these requirements?

The Bulletin states that the authority to compel this notification to the Department is provided to the Commissioner under Conn. Gen. Stat. §38a-8 which provides the Commissioner with "all powers specifically granted, and all further powers that are reasonable and necessary to enable the Commissioner to protect the public interest" in accordance with the duties imposed on the Commissioner by the insurance statutes.  The Bulletin also states that, in order to maintain licenses to do business in Connecticut, insurers and health care centers are required to exhibit evidence of good management as required by Conn. Gen. Stat. §38a-41 and that the other licensee and registrant entities have similar requirements to do business in Connecticut. The Bulletin also cites Conn. Gen. Stat. §38a-4780 as requiring that each managed care organization conform to all applicable state and federal antidiscrimination and confidentiality statutes and that it ensure that the confidentiality of specified enrollee patient information and records in its custody is protected.  Finally, the Bulletin notes that, under the insurance laws, the Commissioner has been given additional authority to protect the personal information of insurance consumers pursuant to the relevant portions of Conn. Gen. Stat. §42-471.