On June 26, Gov. Lamont signed into law Connecticut's new Insurance Data Security Law (IDSL), implementing a new regime of information risk management and event reporting requirements for insurance "licensees." When effective, IDSL will affect the operations of all carriers, producers and other businesses licensed by the Connecticut Insurance Department (CID), but the impact will vary depending on an entity's size, sophistication, volume of nonpublic data, sensitivity of data and reliance on third-party vendors. This alert provides a summary of what Connecticut licensees need to know.
IDSL's effective date was originally slated for this fall but was postponed until October 1, 2020, through a subsequent piece of legislation, P.A. 19-196, which deals with insurance law technical changes.
Background: Prodded by Treasury Department concerns in 2015, the National Association of Insurance Commissioners (NAIC) undertook a multiyear effort to draft model legislation establishing national, insurance-specific standards for data security. It quickly became apparent that consensus on an approach acceptable to regulators, consumer representatives and various sectors within the industry would be difficult to achieve. Roughly concurrently, New York's Department of Financial Services (NYDFS) promulgated its cybersecurity rules for insurers doing business in that state.1 With a significant portion of the industry having become subject to New York's cyber risk management and event notification rules, NAIC's drafting committee was able to conclude its work, and the model act was adopted in October 2017. That model served as the basis for the IDSL.
Where is the new law? The oft inscrutable workings of Connecticut's General Assembly can become even more perplexing during those frenetic days leading up to annual adjournment. That may explain the seemingly odd locus of the new IDSL, submerged almost 300 pages deep within the state's 2019 biennial budget act.2 As a result, it was little noted that when Gov. Lamont signed the budget into law on June 26, Connecticut had joined the small handful of states to have (so far) adopted the NAIC's data security model act. The full text can be found here.
What is the law? Detailed analysis of the lengthy new statute is beyond the scope of this alert. In summary, the IDSL creates two broad areas of compliance concern: security measures and event reporting. The first relates to new risk assessment, management and mitigation duties of covered licensees beginning in the fall of 2020. Among other things, these include the performance of regular risk assessments, the designation of a responsible employee (such as a chief information security officer) and the maintenance of an information security program that is "commensurate" with the size and complexity of the licensee's operations and the nature of its activities. Oversight by the licensee's board of directors is mandated. Notably, licensees must require by October 2021 that appropriate security measures be implemented by any third-party service provider that possesses or controls nonpublic information. An annual written certification must be filed with CID by each February 15. Effectiveness of the information security program provisions is delayed until October 2021 for small licensees (under 20 employees), and there is a full exemption from those requirements for the smallest licensees (fewer than 10 employees).3 Finally, exemptions from IDSL's risk management protocols are provided for those licensees already complying with HIPAA or with another state's information security requirements, if approved under regulations to be adopted by CID.
The second broad area of compliance concern relates to a licensee's handling of "Cybersecurity Events," a term generally encompassing unauthorized access to nonpublic information or to an information system. If IDSL's reporting triggers are met, then a Connecticut domestic insurer's notice-giving obligations upon discovery of an Event are bilateral; they flow both to the commissioner and to affected consumers. Applicable law here is complicated by the existence of two controlling statutes (IDSL and a banking statute, CGS Sec. 36a-701b).
What's different? The answer depends largely on the size and extent of the licensee's insurance operation. Those with a national or regional scope are likely complying with the New York requirements already. For them, IDSL should not create significant new compliance burdens, although they will need to report to CID annually. On the other hand, Connecticut licensees not doing business in New York (and not otherwise exempt under IDSL) will face material new duties relating to data risk assessment and management. Importantly, these new obligations will not merely be internal. They will also extend to licensees' third-party service providers.
IDSL also modifies the Connecticut legal landscape pertinent to data security event reporting. Currently, every "regulated entity" has a reporting obligation for any "information security incident," with the notice to be provided to CID within five business days of discovery under the commissioner's 2010 Bulletin IC-25. IDSL reduces the reporting period to three business days, and it narrows the reporting requirement to domestic insurers and to producers whose home state is Connecticut. It also adds new conditions to the obligation, requiring a report only if (a) information of at least 250 consumers is involved in the event, and (b) there is either some independent state or federal notice requirement or a reasonable likelihood of "material harm" to a Connecticut consumer or to the licensee itself.
What now? Though IDSL's effective date is delayed for 15 months, there are several steps licensees should consider taking at this point.
- Consider whether the entity has New York business sufficient to subject it to the NYDFS' data security regulation, which is already in force. Compliance with New York's regulations, if required, should be a top priority and should make complying with IDSL much easier.
- For licensees with more than 20 employees, begin preparatory work (inventory of data, assessment of risk, board oversight and approval of program) before the October 2020 deadline.
- Ensure ongoing cognizance of the obligation to investigate "information security incidents" and report to CID within five days, under Bulletin IC-25, and be on the lookout for the CID's modifying or withdrawing that Bulletin once the IDSL event reporting regime becomes effective.
Connecticut's IDSL addresses practices relating to security of data—whether in digital or physical form—that any well-managed insurance licensee ought to consider, if not already have in place. Licensees' security officers and compliance professionals should review the new law's provisions to ensure that all technical requirements are being met. In particular, Connecticut licensees should consider how best to comply with the demands the IDSL will impose with respect to oversight of third-party service providers, which may ultimately prove to be the new law's most onerous impact.
Timothy J. (Tim) Curry, a contract attorney resident in Day Pitney's Hartford office, co-authored this alert. He rejoined the firm in June 2019, following a three-year term as Connecticut's Deputy Commissioner of Insurance. His 40-plus-year legal career includes close to three decades in insurance, including in-house roles at Connecticut specialty P&C carriers such as Executive Risk, Chubb Specialty, Darwin Professional and Allied World Assurance Co. Prior to the insurance industry, Curry served as counsel at several Hartford area financial services firms including Society for Savings and Advest. He began his legal career at Day Pitney after graduating with honors from Duke Law School in 1977.
 23 NYCRR 500 (highlighted in a Day Pitney Alert, " New York DFS Issues Revised—And Still Demanding – Cybersecurity Regulations," in July 2017).
 See Connecticut P.A. 19-117, Sections 230 and 231, as amended by P.A. 19-196, Sections 8 and 9, which delayed ISDL's effectiveness until October 2020.
 P.A. 19-117, Sec. 230(c)(10)(i)(I). NB: "Employee" in this context specifically includes independent contractors who have access to private data, so small licensees must carefully consider the status of nonemployed agents, consultants or others who might qualify as employees under ISDL.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.