In early June 2015, Governor Malloy signed legislation making wide ranging changes to state laws that protect personal information of Connecticut residents (the Act). Key data security expansions and their impacts inside and outside of Connecticut include the following:
Section 6 of the Act amends Connecticut data security laws to shorten the time period for mandatory notice to state agencies in the event of breach to 90 days following breach discovery (unless a shorter time is required by other law). Even more significantly, for breaches involving loss or hacking of computerized data, the breaching company must offer identity theft prevention and mitigation services for at least one full year. This represents a substantial increase from the three month minimum previously recommended by the Attorney General for offering credit monitoring, credit freeze and similar services.
Section 5 also imposes significant obligations on health insurance companies, effective as of October 2017. Requirements will include:
Companies subject to these requirements also must annually certify compliance to the State Insurance Department under penalty of perjury and be required to provide the WISP to the Insurance Commissioner or Attorney General upon request.
Sections 1 and 2 of the Act require vendors receiving confidential information pursuant to state contracts to implement and maintain a “comprehensive” data security program that:
Section 4 of the Act empowers the State Office of Policy and Management to develop a program that improves consumer access to data maintained by executive agencies and, in so doing, ensure the security, privacy and confidentiality of such information, including developing with the State Chief Information Officer a detailed “data security and safeguarding plan” for all data accessed or shared through the new access program.
Section 7 of the Act prohibits retail sales of smartphones in Connecticut effective July 1, 2016 unless they contain hardware or capability to receive downloadable software upon activation that can render the phone inoperable to an unauthorized user.
Businesses inside and outside of Connecticut should consider the potential impacts of the Act in at least two principal respects.
First, all business, wherever located, should review their WISPs and related data security policies to see whether they are affected by the Connecticut-specific provisions in the Act. At minimum, (1) business with Connecticut offices, (2) non-Connecticut businesses with Connecticut resident employees or customers, and (3) especially health insurance companies and all companies seeking to do business as vendors with Connecticut state agencies should review existing policies and WISPs to determine whether changes are needed to reflect the new law. Wireless phone makers and retail outlets should pay particular attention to the July 2016 requirement of remote wiping capability for all smartphones.
Second, all businesses should consider the Act to be a potential “canary in a coal mine” sign of increasing state law level regulation of data security. Massachusetts lead this trend five years ago with implementation of its rules that require implementation of a WISP for all holders of personal information of Massachusetts residents, wherever the holder is located, and Nevada has followed by requiring tough new data encryption rules. The Act may serve as a third example that may well be followed by implementation of other state regimes in upcoming months and years. Businesses that have not implemented a WISP should consider getting ahead of this emerging trend and doing so as soon as possible.
If you have any questions about this alert, please contact the author, Robert J. Munnelly, Jr., or a member of our Regulatory and Administrative Law Practice.
This article is provided as a courtesy and may not be relied upon as legal advice, or to avoid taxes and penalties. Distribution to promote, market, or recommend any arrangement or investment to avoid or evade taxes, including penalties, is expressly forbidden. Any communication with the author as to its contents, does not, of itself, create a lawyer-client relationship. Under the ethical rules applicable to lawyers in some jurisdictions, this may be considered advertising.
Return to Alerts page