Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Connecticut: Cybersecurity

Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

Connecticut does not currently have a comprehensive cybersecurity law but has passed sector-specific laws on data security. Particularly in the insurance sector, Connecticut enacted the Insurance Data Security Law  ('the Data Security Law'), under Chapter 697 of Title 38a of the General Statutes of Connecticut ('Conn. Gen. Stat.'), modeled after the National Association of Insurance Commissioners Insurance Data Security Model Law.

In addition, §36a-701b of Part 1 of Chapter 449 of the Connecticut General Statutes ('Conn. Gen Stat.') ('the Law') provides for data breach notification requirements.

Regulatory authorities  

The Data Security Law affects insurance carriers, producers, and other businesses licensed by the Connecticut Insurance Department ('CID').

In addition, the Connecticut Attorney General ('AG') is responsible for enforcing the Act.

Regulatory authority guidance

The Office of Legislative Research of the Connecticut Legislature has issued the following guidance:

Please note that this Guidance Note refers to state-wide legislation for Connecticut. In addition to state requirements outlined here, please note that federal cybersecurity requirements may be applicable under federal laws such as the Gramm-Leach-Bliley Act of 1999 ('GLBA') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). For more information, please refer to the following OneTrust DataGuidance Guidance Notes:

2. SCOPE OF APPLICATION

Not applicable.

3. GENERAL REQUIREMENTS

3.1. Implementation of a cybersecurity framework

Under the Act incentivizing the adoption of cybersecurity standards for businesses ('the Cybersecurity Act'), in any cause of action founded in tort that is brought in Connecticut that alleges that the failure to implement reasonable cybersecurity controls resulted in. a data breach concerning personal information or restriction information, the Connecticut Superior Court will not assess punitive damages against. covered entity if such entity created maintained and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognied cybersecurity framework as described in Section 5(c) of the Cybersecurity Act and that such covered entity designed its cybersecurity program in accordance with the provision of Section 5(d) of the Cybersecurity Act.

The cybersecurity program must conform to the current versions of or any combination of (Section 5(c) of the Cybersecurity Act):

Furthermore, the covered entity's cybersecurity program conforms to the current version of (Section 5(c) of the Cybersecurity Act): 

In addition, a covered entity's cybersecurity program must be designed to do the following with respect to personal and restricted information (Section 5(d)(1) of the Cybersecurity Act):

  • protect the security and confidentiality of such information;
  • protect against any threats or hazards to the security or integrity of such information; and
  • protect against unauthorised access to and acquisition of the information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates.

The scale and scope of a covered entity's cybersecurity program shall be based on the following factors (Section 5(d)(2):

  • the size and complexity of the covered entity;
  • the nature and scope of the activities of the covered entity;
  • the sensitivity of the information to be protected; and
  • the cost and availability of tools to improve information security and reduce vulnerabilities.

3.2. Notification of cybersecurity incidents

3.2.1.  In case of a cybersecurity incident, is there an obligation to notify the regulatory authority?

Yes. Notice of the breach of security shall be provided to the AG (§36a-701b(b)(2)(A) of the Law).

3.2.2. If yes, please describe the process, timeline, and any other formality that needs to be adhered to.

Notice shall be made without unreasonable delay but not later than 90 days after the discovery of such breach, upon the completion of an investigation to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system, unless a shorter time is required under federal law (§36a-701b(b)(1) of the Law.).

Notice of the breach of security shall be provided to the AG no later than the time when notice is provided to the resident (§36a-701b(b)(2)(A) of the Law.).

Notification shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification is delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination (§36a-701b(d) of the Law.).

3.2.3. In case of a cybersecurity incident, are there other subjects that need to be notified?

Notice of any breach of security must be made to any resident of Connecticut whose personal information was breached or is reasonably believed to have been breached (§36a-701b(b)(1) of the Law.).

3.2.4. Please outline any other bodies that might be notified.

For more information please refer to the following OneTrust DataGuidance Guidance Note Connecticut - Data Breach.

3.3. Appointment of a security officer

Not applicable.

3.4. Other requirements

Not applicable.

4. REQUIREMENTS IN THE INSURANCE SECTOR

4.1. Definitions

Authorised Individual: means an individual known to, and screened by, the licensee and determined to be necessary and appropriate to have access to the non-public information held by the licensee and its information systems (Section 3(1) of the Data Security Act). 

Consumer: means an individual, including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, and certificate holder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody, or control (Section III, of the Data Security Law). 

Cybersecurity event: means an event resulting in unauthorized access to, disruption or misuse of, an information system or nonpublic information stored on such information system. The term shall not include the unauthorized acquisition of encrypted nonpublic information if the encryption, process, or key is not also acquired, released, or used without authorization. A cybersecurity event shall not include an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed (Section IV, of the Data Security Law). 

Information Security Program: there is no definition for Information Secuirty Program, however, the Data Security Law defines 'Program' as information security program (Section XIII, of the Data Security Law). 

Information System: means a discrete set of electronic information resources organised for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic non-public information, as well as any specialised system such as an industrial or process controls system, a telephone switching and private branch exchange system, or an environmental control system (Section 3(8) of the Data Security Act). 

Licensee: any person licensed, authorised to operate, registered, or required to be licensed, authorised, or registered pursuant to insurance laws of Alabama but do not include a purchasing group or a risk retention group chartered n licensed in a state other than  or a person that is acting as an assuming insurer that is domiciled in another state or jurisdiction (Section IX, of the Data Security Law). 

Non-public Information: means information that is not publicly available information and is (Section XI, of the Data Security Law): 

  • any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify such consumer, in combination with any one or more of the following data elements:   
    • Social Security number; 
    • Driver's license number or non-driver identification card number; 
    • Financial account number, credit or debit card number; 
    • Any security code, access code, or password that would permit access to a consumer's financial account; and 
    • Biometric records. 

Third-party service provider: refers to a person that is not a licensee and that contracts with a licensee to maintain, process, store, or otherwise is permitted access to non-public information, through its provision of services to the licensee (Section 3(16) of the Data Security Act). 

4.2. Information security program implementation

The Data Security Law provides a definition of 'information system' as a discrete set of electronic information resources organised for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic non-public information, as well as any specialised system such as an industrial or process controls system, a telephone switching, and private branch exchange system, or an environmental control system (Section 38a-38(b)(6) of the Data Security Law).   

Licensees are responsible for implementing an information security program and the implementation of the program should correspond to the size and complexity of the licensees, the nature, and scope of their activities, including its use of third-party service providers, and the sensitivity of the non-public information used by the licensee or in the licensees' possession, custody, or control. In addition, the licensee is responsible for developing and maintaining a comprehensive written information security program that contains administrative, technical, and physical safeguards for the protection of non-public information and the licensee's information system (Section 38a-38(c)(1) of the Data Security Law). Furthermore, the objectives of the information security program must include the following (Section 38a-38(c)(2) of the Data Security Law): 

  • protect the security and confidentiality of non-public information and the security of the information system; 
  • protect against any threats or hazards to the security or integrity of non-public information and the information system; 
  • protect against unauthorised access to, or use of, non-public information, and minimise the likelihood of harm to any consumer; and 
  • define and periodically re-evaluate a schedule for retention of non-public information and a mechanism for its destruction when no longer needed. 

A licensee's information security program must be designed to do all of the following (Section 38a-38(c)(4) of the Data Security Law): 

  • protect the security and confidentiality of non-public information and the security of the information system; 
  • protect against any threats or hazards to the security or integrity of non-public information and the information system; 
  • protect against unauthorised access to or use of non-public information and minimise the likelihood of harm to any consumer; and 
  • maintain policies and procedures for the secure disposal on a periodic basis of any non-public information that is no longer necessary for business operations or for other legitimate business purposes. 

Based on its risk assessment, a licensee shall do all of the following (Section 38a-38(c)(4) of the Data Security Law): 

  • design its information security program to mitigate the identified risks, commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including its use of third-party service providers, and the sensitivity of the non-public information used by the licensee or in the licensee’s possession, custody, or control; 
  • determine which of the following security measures are appropriate and implement those appropriate security measures: 
    • placing access controls on information systems, including controls to authenticate and permit access only to authorised individuals to protect against the unauthorised acquisition of non-public information; 
    • identifying and managing the data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes in accordance with their relative importance to business objectives and the organisation’s risk strategy; 
    • restricting physical access to non-public information to authorised individuals only; 
    • protecting by encryption or other appropriate means all non-public information while being transmitted over an external network and all non-public information stored on a laptop computer or other portable computing or storage device or media; 
    • adopting secure development practices for in-house developed applications utilised by the licensee; 
    • adding procedures for evaluating, assessing, or testing the security of externally developed applications used by the licensee; 
    • modifying the information system in accordance with the licensee's information security program; 
    • using effective controls, which may include multi-factor authentication procedures for employees accessing non-public information; 
    • regularly testing and monitoring systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems; 
    • including audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; 
    • implementing measures to protect against destruction, loss, or damage of non-public information due to environmental hazards, such as fire and water damage or other catastrophes or technological failures; and 
    • developing, implementing, and maintaining procedures for the secure disposal of non-public information in any format. 
  • include cybersecurity risks in the licensee’s enterprise risk management process; 
  • stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared; and 
  • provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the licensee in the risk assessment. 

A licensee shall monitor, evaluate, and adjust, as appropriate, the information security program consistent with any relevant changes in technology, the sensitivity of its non-public information, internal or external threats to information, and the licensee's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems (Section 38a-38(c)(7) of the Data Security Law) 

4.3. Cybersecurity incidents

Each licensee shall notify the Commissioner as promptly as possible, but no later than three business days after a determination that a cybersecurity event involving non-public information in the possession of a licensee has occurred, when either of the following has been met (Section 38a-38(e)(1) of the Data Security Law): 

  • Connecticut is the licensee's state of domicile, for an insurer, or the licensee's home state, for an insurance producer as that term is defined in Section 500.1201 of the Data Security Law, and the cybersecurity event has a reasonable likelihood of materially harming either of the following: 
    • a consumer residing in the State of Connecticut; or 
    • any material part of a normal operation of the licensee; 
  • the licensee reasonably believes that the non-public information involved 250 or more consumers residing in Connecticut and is either of the following: 
    • a cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or other supervisory body under any state or federal law; or 
    • a cybersecurity event that has a reasonable likelihood of materially harming either of the following: 
      • any consumer residing in this state; or 
      • any material part of the normal operation of the licensee. 

The licensee shall provide the information under this subsection in electronic form as directed by the Commissioner (Section 38a-38(e)(2) of the Data Security Law). 

The licensee has a continuing obligation to update the Commissioner regarding any subsequent material changes to the previously provided notice relating to the cybersecurity event (Section 38a-38(e)(2)(B) of the Data Security Law). The licensee shall provide as much of the following information as possible (Section 38a-38(e)(2)(A)of the Data Security Law): 

  • the date of the cybersecurity event; 
  • a description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of third-party service providers, if any; 
  • how the cybersecurity event was discovered; 
  • whether any lost, stolen, or breached information has been recovered and, if so, how this was done; 
  • the identity of the source of the cybersecurity event; 
  • whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided; 
  • a description of the specific types of information acquired without authorisation. As used in this subdivision, 'specific types of information' means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer; 
  • the period during which the information system was compromised by the cybersecurity event; 
  • the number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the Commissioner and update this estimate with each subsequent report to the Commissioner under this section; 
  • the results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed; 
  • a description of efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur; 
  • a copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and 
  • the name of a contact person who is both familiar with the cybersecurity event and authorised to act for the licensee. 

The licensee should also comply with the notification requirements in a cybersecurity event that occurred in a system maintained by a third party service provider (Section 38a-38(e)(3) of the Data Security Law). 

Where the cybersecurity event involves non-public information that is used by the licensee when acting as an assuming insurer or in the possession, custody, or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consumers, the assuming insurer shall notify its affected ceding insurers and the Commissioner of its state of domicile within three business days after making the determination that a cybersecurity event has occurred. (Section 38a-38(e)(5) of the Data Security Law). 

A licensee acting as an assuming insurer does not have other notice obligations relating to a cybersecurity event or other data breach under this section or any other law of the State of Michigan (Section 38a-38(e)(5) of the Data Security Law). 

Where the cybersecurity event involves non-public information that is in the possession, custody, or control of a licensee that is an insurer or its third-party service provider for which a consumer accessed the insurer's services through an independent insurance producer, and for which consumer notice is required, the insurer shall notify the producers of record of all affected consumers of the cybersecurity event not later than the time at which notice is provided to the affected consumers. The insurer is excused from this obligation for any producer who is not authorised by law or contract to sell, solicit, or negotiate on behalf of the insurer, and in those instances in which the insurer does not have the current producer of record information for any individual consumer (Section 38a-38(e)(4) of the Data Security Law). There is a requirement to notify data breaches to the AG under the Law (§36a-701b(b)(2)(A) of the Law). 

Notification to data subjects  

In the event of a cybersecurity incident, the licensee must provide notice to affected individuals to whom the information relates (§36a-701b(b)(1) of the Law) 

Third Parties  

Not applicable. 

Notification to consumer reporting agencies  

Not applicable.

Other requirements  

A licensee shall do all of the following (Section 38a-38(c)(3)of the Data Security Law): 

  • identify reasonably foreseeable internal or external threats that could result in unauthorised access, transmission, disclosure, misuse, alteration, or destruction of non-public information, including the security of information systems and non-public information that are accessible to, or held by, third-party service providers; 
  • assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the non-public information; 
  • assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including all of the following: 
    • employee training and management; 
    • information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; 
    • detecting, preventing, and responding to attacks, intrusions, or other systems failures; and 
  • implement information safeguards to manage the threats identified in its ongoing assessment, and, no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. 

A licensee shall exercise due diligence in selecting its third-party service provider. A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and non-public information that is accessible to, or held by, the third-party service provider (Section 38a-38(c)(6)(A) of the Data Security Law). 

4.4. Powers / penalties

Not applicable.

4.5. Other

Not applicable.

5. REQUIREMENTS IN THE HEALTH SECTOR

5.1. Definitions

A licensee that is subject to and complies with HIPAA, and with regulations promulgated under HIPAA Privacy and Security Rules, Parts 160 and 164 of Title 45 of the Code of Federal Regulations is considered to be in compliance with the Data Security Law (Section 38a-38(c)(10) of the Data Security Law). 

An Act Improving Data Security and Agency Effectiveness (Public Act No. 15-142) ('the Act') requires that companies follow the notification requirements contained in §36a-701(b) of the Conn. Gen. Stat. (§5(e) of the Act). A company means a health insurer, health care centre or other entity licensed to do health insurance business, a pharmacy benefits manager that administers health benefits or a utilisation review company (§5(a)(2) of the Act). For the health sector, personal information for the purpose of a company’s security program, includes moreover protected health information as defined by Sect 1171(4) of the HIPAA (§5(b) of the Act). According to HIPAA, health information means any information, whether oral or recorded in any form that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. 

5.2. Security program / framework

Not applicable.

5.3. Incidents

Not applicable.

5.4. Penalties

Not applicable.

5.5. Other

For more information on federal cybersecurity obligations in the health sector please refer to the following OneTrust DataGuidance Guidance Note USA - HIPAA - Cybersecurity.

6. REQUIREMENTS IN THE FINANCIAL SECTOR

6.1. Definitions

The Banking Commissioner received a mandate to adopt regulations to require credit rating agencies to provide to the Banking Commissioner dedicated points of contact through which the Department of Banking may assist consumers in the event of a data breach (§36a-701c of the Conn. Gen. Stat.). Actions taken by the Department of Banking can be accessed here. 

or federal financial cybersecurity obligations please see OneTrust DataGuidance's USA – GLBA and USA – GLBA Safeguards Rule Guidance Notes.

6.2. Security program / framework

Not applicable.

6.3. Incidents

Not applicable.

6.4. Penalties

Not applicable.

6.5. Other

For more information on federal cybersecurity obligations in the final sector please refer to the following OneTrust DataGuidance Guidance Note USA - GLBA Safeguards Rule – Cybersecurity.

7. PENALTIES

Any violation of the provisions of the Data Security Law by an insurance provider will be subject to the following penalties (Section 38a-8(f) of Conn. Gen. Stat.): 

  • The licensee’s license may be suspended, revoked, or refused if the Commissioner finds, after a hearing, that licensee's violation of the provisions of the Data Security Law was known or should have been known by one or more of the partners, officers, or managers acting on behalf of the licensee and thereafter the violation was not reported in a timely manner to the Commissioner, nor was any corrective action taken; or 
  • The licensee may be subject, at the sole discretion of the Commissioner to a civil fine in an amount not exceeding $50,000 per violation. 

8. OTHER AREAS OF INTEREST

A licensee that has fewer than 10 employees, including any independent contractors, is exempt from the requirements of Section 38a-38(c)the Data Security Law mentioned above. A licensee subject to and in compliance with HIPAA, and with regulations promulgated under that act, is not required to comply with this chapter. An employee, agent, representative, or designee of a licensee, who is also a licensee, is exempt from Section 38a-38(c) of the Data Security Law and does not need to develop its own information security program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee (Section 38a-38(c)(10) of the Data Security Law). 


Authored by OneTrust DataGuidance
DataGuidance's Privacy Analysts carry out research regarding global privacy
developments, and liaise with a network of lawyers, authorities and professionals to gain
insight into current trends. The Analyst Team work closely with clients to direct their
research for the production of topic-specific Charts.

Feedback