Last month, Governor Dannel Malloy signed a bill (SB 949) that imposes new, more rigorous data privacy and security requirements on state contractors and the health care industry. SB 949 was passed by the Connecticut legislature on June 1, and some of its provisions are already in effect. Read below to determine what your obligations may be under this new statute.
Shortened time frame for reporting data breaches
Under the new statute, Connecticut companies that experience a data breach are required to provide notice of that breach to both the individuals affected by the breach and the Connecticut Attorney General’s Office no later than 90 days after they discover a that a breach has occurred, “unless a shorter time is required under federal law.” This is a change from the previous, vague requirement of “without unreasonable delay” but it’s much longer than time periods in other, similar statutory schemes, such as HIPAA (60 day time limit). Where the breach involved Social Security numbers, the company is required to give affected individuals a year’s worth of free credit monitoring services and information on how to place a credit freeze on their credit file. These requirements become effective October 1, 2015.
Significant new obligations for state contractors
If a state contractor receives confidential information from a state agency, the contractor is now required to take extra steps to protect the privacy and security of that information. The definition of confidential information is very broad, and this requirement went into effect July 1, 2015, so state contractors who are affected should take immediate steps to comply. Confidential information that deserves this extra protection includes: (1) a person’s name, date of birth or mother’s maiden name; (2) any of the following numbers: motor vehicle operator’s license, Social Security, employee identification, employer or taxpayer identification, alien registration, passport, health insurance identification, demand deposit or savings account, or credit or debit card; (3) unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation; (4) “personally identifiable information” and “protected health information,” as defined in the Family Educational Rights and Privacy Act (FERPA) and HIPAA); and (5) any information that is designated as confidential by the state agency. It does not include information that is readily available from public sources or federal, state or local government records that are accessible by the public.
If the state contractor receives this confidential information, it must take specific steps to protect it. These requirements will be spelled out in the contract with the state agency but they include mandates to the state contractor to: (1) protect confidential information; (2) implement and maintain a comprehensive data security program to protect the information; (3) limit access to authorized employees and agents; (4) maintain the information (a) in a secure server, (b) on secure drives, (c) behind firewall protections, d) monitored by intrusion detection software, (e) in a manner where only authorized employees and agents have access, and (f) as may be “otherwise required” under state or federal law; (5) implement, maintain and update security and breach investigation procedures that are appropriate to the information received from the state agency, so long as those procedures are “reasonably designed” to protect the information from unauthorized access, use, modification, disclosure, manipulation or destruction; and (6) specify how the cost of any notification about, or investigation into, a breach is to be apportioned.
Special requirements for insurance industry data security programs
In addition, health insurers, pharmacy benefit managers, utilization review companies and third-party administrators that are licensed to do business in Connecticut will be required to follow very comprehensive data security procedures. These entities have until Oct. 1, 2017, to develop a written security program and put it in place. The new data security program must comply with a wide variety of administrative, physical and technical requirements, including computer user authentication procedures, measures to control access, risk assessments, specific penalties if an employee violates the security programs, and careful oversight of any outside vendors that might have access to the confidential information. Although these requirements may parallel already existing HIPAA requirements, companies affected by S.B. 949 should be sure to review the statute to ensure that their existing protocol is compliant and make plans to bring any non-compliant provisions into compliance with the statute by the fall of 2017.
A copy of S.B. 949 is available here.