Aug 23, 2019
New data security law will take effect October 2020
- The legislation passed as part of the budget process
- Further legislation extended the dates the law goes into effect
- Limited exemptions for licensees with fewer than 20 employees
Gov. Lamont signed an insurance data security law based on the National Association of Insurance Commissioner model legislation, following the recommendation of the Connecticut Insurance Department. The law is part of the budget signed by the governor in early June. Originally slated to take effect in October 2019, additional legislation amended the effective date for the insurance data security section of the budget bill. It will now go into effect Oct. 1, 2020.
The law sets out requirements for licensees in Connecticut to follow when a cyber security event occurs. All licensees must follow the legal procedures in response to a cyber event. The procedures include prompt notice to the insurance commissioner should a cyber security event affect the nonpublic data of 250 or more Connecticut residents, or the licensee’s business operations. The law also includes details that must be provided to the insurance commissioner in the notice about the cyber security event. That section of the law will go into effect Oct. 1, 2020, for all entities with an insurance license in Connecticut.
While the law requires a risk assessment and the implementation of an information security program, some licensees may be exempt from the requirement. Licensees with fewer than 10 employees—including independent contractors with access to nonpublic information—will not be required to comply with that section of the law. Licensees with more than 10 but fewer than 20 employees will be exempt from the requirement through Sept. 30, 2021. All licensees that do not qualify for the limited exemption must have their information security programs in place by Oct. 1, 2020. The law requires that licensees develop a program that reflects the findings of their risk assessment, but recommends additional security measures. Only insurers will need to file certification with the CID.
The law does not explicitly state that compliance with New York’s insurance cyber security regulation will qualify as compliance with Connecticut’s new law. However, a provision has been added to allow the Connecticut Insurance Commissioner to consider cyber security laws from another state to be compliant with the Connecticut data security requirements. If a licensee seeks to comply with the Connecticut requirements under this provision, they will need to file annual certification of compliance with the approved state’s laws.
Unlike New York, the Connecticut law and the NAIC model legislation exclude licensees as third-party service providers. The Connecticut law has a more limited definition of a cyber security event, which focuses on actual security breaches, not attempted breaches. PIACT will be issuing more information on this subject matter, including resources and classes, in the coming months.