On July 20, 2020, the Connecticut Insurance Department issued a bulletin to licensees reminding them that the Connecticut Insurance Data Security Law (“Act”) becomes effective on October 1, 2020 and providing guidance on compliance.

The Act requires “all persons who are licensed, authorized to operate or registered, or required to be licensed, authorized or registered pursuant to the insurance laws of Connecticut” to “develop, implement and maintain a comprehensive written information security program (“ISP”) that complies with” the Act “not later than October 1, 2020.” The Act generally applies to domestic insurers and health care centers, with some exemptions.

The Act requires the licensee’s ISP to be based upon a risk assessment “and contain safeguards for the protection of nonpublic information and the licensee’s information systems commensurate with the size and complexity of the licensee, its activities, including use of third-party services providers, and the sensitivity of the nonpublic information used by the licensee or in its possession, custody or control.”

The bulletin reminds that unless a licensee is exempted, the licensee must perform due diligence on its third-party service providers and require those third-party service providers to implement appropriate administrative, technical and physical measures to protect the information disclosed to the third-party service provider by the licensee. Although not specified in the bulletin, licensees may wish to consider documenting such measures through security questionnaires and written contractual obligations.

All licensees (except those licensees exempt from the law) must provide written confirmation to the Insurance Commissioner by February 15, 2021 and annually thereafter certifying that it is in compliance with the Act. Documentation of plans for material improvements, updates or remedial efforts must be maintained by the licensee and be “available for inspection by the Insurance Department.”

The bulletin outlines in detail the obligations of licensees following a cybersecurity attack or event. Similar to the New York Department of Financial Services Cybersecurity Regulations, the Act requires licensees to notify the Insurance Commissioner “as promptly as possible, but in no event later than three (3) business days after the date of the cybersecurity event” if the licensee is domiciled in the State of Connecticut or the licensee believes that the event involves more than 250 residents of the State of Connecticut and notification to individuals is required by state or federal law or the licensee believes that the event has “a reasonable likelihood of materially harming any consumer residing in Connecticut….” The notification will be through the Insurance Commissioner’s website and will be available by October 1, 2020.

The bulletin reminds licensees that it has the power to examine and investigate compliance with the Act and to impose penalties for noncompliance. Nonetheless, the bulletin states that because of COVID-19, the Department “intends to exercise appropriate discretion in evaluating the facts and circumstances of a licensee’s compliance…and in the imposition of sanctions for noncompliance.” The bulletin further states that the Department will not impose sanctions against a licensee if it fails to file its annual certification of compliance by February 15, 2021 as long as the certificate of compliance is filed by April 15, 2021. However, if a licensee is unable to file the certification on a timely basis due to COVID-19, the licensee “is urged to contact the Insurance Department Market Conduct Division” to explain why it is unable to file by the deadline.

Licensees may wish to consider prioritizing compliance with the Act now and develop and implement their ISP to be ready for both the October 1, 2020 compliance deadline, and the February 15, 2021 certification deadline.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.