Clarifying CT's new Insurance Bulletin reporting requirement
The new bulletin from the Connecticut Insurance Commission, mentioned here, had left me a tad confused, so I wrote to them:
Re the definition of a security incident:
“The Department considers an information security incident to be any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.”
It seems that encryption is not an exclusion or safe harbor, but later it says “the loss of which could compromise or put at risk…” Is there actually a “risk of harm” standard here? Since many people would argue that the loss of encrypted data does not put people at risk, the definition of a reportable incident seems a bit self-contradictory. Can you clarify: do ALL incidents have to be reported if they meet the definition of “personal information” and involve a covered entity or only those where there is some assessment/determination that the loss would compromise or put at risk… ?
Today I received an answer from their legal counsel that said:
Yes – all incidents have to be reported.
How nice to have a simple rule.