Connecticut Insurance Commissioner Announces Data Breach Notification Mandate
Joseph Lazzarotti of Jackson Lewis writes:
On August 18, 2010, the Connecticut Insurance Commissioner issued Bulletin IC-25 which mandates that entities within its jurisdiction notify the Department of Insurance of any “information security incident.” This post provides a brief summary of this new requirement.[…]
What is an “information security incident”?
Under this Bulletin, an information security incident is:
any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.
Thus, unlike the general Connecticut data breach notification statute which requires notification only with respect to computerized personal information, this mandate applies to paper documents which includes personal health, financial or personal information. Also, encrypted data is not exempt from this notification requirement.
Read more about the new bulletin on Workplace Privacy Data Management & Security Report. The state is now requiring covered entities to provide them with a lot of detailed information to the state within five (5) calendar days after a breach is identified.
Obviously, I’m delighted to see the inclusion of paper records and the absence of a “significant harm” threshold. Without knowing the history of this bulletin, I might guess that it is, at least in part, a reaction to a number of breaches by health insurers where neither the state nor residents were promptly notified of a breach and where the state’s attorney general investigated the breaches and insisted that the insurers offer credit monitoring services, etc.
That said, this situation also highlights the patchwork quality of regulations and statutes even with one state, much less between states. Can you hear me now, Congress?