Substitute Senate Bill No. 949, Public Act No. 15-142, has been passed, updating breach notification laws in Connecticut. The new Conn. state law on data breaches enhances protections for state residents, most notably by adding a requirement for all individuals and companies doing business in the state to offer credit monitoring services to victims of a data breach.
The risk mitigation measure is required for a period of one year without charge – as a minimum – when there has been a “Confidential Information breach.” The definition of Confidential Information in Connecticut is:
- A person’s name
- Date of birth
- Mother’s maiden name
- Social Security number
- Employee identification number
- Employer or taxpayer identification number
- Motor vehicle operator’s license number
- Alien registration number
- Health insurance ID number
- Demand deposit account number
- Government passport number
- Credit/Debit card number
- Savings account number
- Plus any unique biometric data (fingerprints, voice prints, retina or iris images, or other unique physical representation)
The definition of a Confidential Information Breach in Connecticut is “an unauthorized person or entity accesses confidential information that is subject to or otherwise used in conjunction with any part of a written agreement with a state contracting agency in any manner.”
If a data breach is suffered, the company or individuals responsible for the data must issue breach notification letters to all individuals affected within 90 days; however HIPAA demands that healthcare providers issue breach notices within 60 days.
The Act requires a “comprehensive information security program” to be put in place and this must be maintained to address security risks and continuously protect data. The new law makes it mandatory for data encryption to be used on all Confidential Information in transit; however other security measures are left up to the individual or organization’s discretion; provided the measures put in place offer a sufficiently high level of protection and include anti-malware software and firewalls.
Contractors – or Business Associates – must now “implement and maintain a comprehensive data security plan for the protection of that information,” and these must be of a level sufficient to meet the minimum requirements stated in the bill. The new laws also apply to health insurers and their Business Associates or contractors, such as pharmacy benefits managers, third-party administrators responsible for administering health benefits, and utilization review companies.