Connecticut Breach Notification Laws Updated
Connecticut breach notification laws have been updated and are now in effect. Substitute Senate Bill No. 949, Public Act No. 15-142 introduced a number of changes to improve data security and agency effectiveness to better protect state residents.
Updates affect all who do business in the state, with specific changes that affect contractors (Business Associates/BAs) and health insurers.
One of the major changes concerns damage and risk mitigation after a data breach. All companies and individuals doing business in the state must now provide credit monitoring services to breach victims, without charge, for a minimum period of one year if confidential information is exposed.
The definition of “confidential information” varies from state to state. It broadly follows the definitions in HIPAA/HITECH, although in Connecticut it specifically refers to:
- Date of birth
- Mother’s maiden name
- Motor vehicle operator’s license number
- Social Security number
- Employee identification number
- Employer or taxpayer identification number
- Alien registration number
- Government passport number
- Health insurance ID number
- Demand deposit account number
- Savings account number
- Credit/Debit card number
- Unique biometric data (fingerprints, voice prints, retina or iris images, or other unique physical representation)
Connecticut Breach Notification Law Changes
Credit monitoring services must be provided after a “Confidential information breach,” which is described as “an unauthorized person or entity accesses confidential information that is subject to or otherwise used in conjunction with any part of a written agreement with a state contracting agency in any manner.”
Notice must be provided to the state attorney general and patients within 90 days, although healthcare providers are required to issue breach reports within 60 days under HIPAA Rules.
Credit monitoring services typically start at $10-$30 per breach victim which adds up to a considerable cost for a large-scale data breach. With a data breach inevitable, and the cost of the breach response becoming more and more expensive, healthcare providers should revisit the topic of data encryption.
If data can be rendered unreadable or unusable if a device is lost or stolen, such a loss or theft would not result in a data breach under Connecticut data breach laws and HIPAA.
Updates Concerning Health Insurers
Any health insurance business taking place in Connecticut, including business conducted by providers of services related to health insurance – pharmacy benefits managers, third-party administrators responsible for administering health benefits, and utilization review companies for example – must now develop and maintain a “comprehensive information security program,” to protect the data they hold.
There is no single security solution, so insurance companies must implement safeguards which are appropriate to their business and the level of risk they face. However, one stipulation is the encryption of data in transit. If personal information is sent wirelessly, or transmitted over a network accessible to the public, all data must be encrypted.
Connecticut laws also state that anti-virus and anti-malware software must be used, and Firewalls put in place to protect networks from external attacks.
The state law follows HIPAA to a certain extent and requires controls be put in place to limit access to confidential and personal information. As with HIPAA, insurers are responsible for the actions of their Business Associates. It is up to the insurer to make sure that their BAs comply with state and federal laws.
Updates Concerning State Contractors
State contractors provided with access to confidential information – defined in the above list – must also implement controls to protect information. Protections must also be put in place to safeguard any information a state contracting agency stipulates as being confidential to a contractor.
In contrast to HIPAA, where contractors are allowed a degree of flexibility as to how they safeguard data, the new Connecticut law stipulates that Firewalls must be used, data must be saved on secure servers and intrusion monitoring systems must be put in place to detect attacks.
Contractors must “implement and maintain a comprehensive data security plan for the protection of that information,” meeting the minimum requirements stated in the bill.
If you conduct any business in Connecticut, and store, access or transmit confidential or personal information, you can familiarize yourself with full details of Senate Bill 949 here.