Here is one of those convergence points where business law and privacy law intersect and effectuate additional administrative duties on the business holder. In a rather interesting bulletin, the Connecticut Department of Insurance issued a directive on August 18, 2010, requiring "that all licensees and registrants of the Department notify the Department of any information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five (5) calendar days after the incident is identified." The Department relies on the power granted to it under the Connecticut General Statute 38a-8 and the requirement that all insurers and health care centers exhibit evidence of good management. The information to provide in the notification is fairly straight-forward, but is also relatively detailed. The notification should contain as much as possible of the following information:
•Date of the incident
•Description of incident (how information was lost, stolen, breached)
•How discovered
•Has lost, stolen, or breached information been recovered and if so, how
•Have individuals involved in the incident (both internal and external) been
identified
•Has a police report been filed
•Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc)
•Was information encrypted
•Lost, stolen or breached information covers what period of time
•How many Connecticut residents affected
•Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed
•Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur.
•Copies of the licensee/registrants Privacy Policies and Data Breach Policy.
•Regulated entity contact person for the Department to contact regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant)
•Other regulatory or law enforcement agencies notified (who, when)
Further, the Department will want to review, in draft form, any communications intended to be sent to "affected insureds, members, subscribers, policy holders or providers". Finally, there is no specific penalty identified for failure to provide the requisite note, but THE CID does make reference to the potential for "imposition of administrative penalties". Of course, when you are dealing with agency that provides you with the license to practice in their state, you should plan on playing by their rules.
This requirement comes on the heels of a rather unparalleled piece of privacy litigation that arose back in January, 2010. You may recall, that the Connecticut Attorney General filed suit against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information for its Connecticut enrollees. The AG, Richard Blumenthal, is utilizing the power granted to him under the Health Information Technology for Economic and Clinical Health Act (HITECH) to enforce HIPAA (Health Insurance Portability and Accountability Act) violations by Health Net and other health care providers that allowed for the privacy breach.
One can only assume that the CID did not like the fact that they weren't in the loop on those breaches early enough to protect the citizenship more. However, while this is interesting from a general knowledge of what is going on in Connecticut perspective, I see two greater privacy litigation issues that could arise from this type of bulletin. First, it is rare for one state to stand alone on a directive or issue. Thus, it is likely that other state's Department of Insurance will pick up on this and think, "I should do that too!" It goes without saying that the more widespread these requirement span, the greater their impact. Secondly, I think the fact that the implications of this bulletin are going to be more widespread than one might initially think. You have to remember that corporate citizens are citizens too. It is not uncommon for insurance and health care companies to register in every state. Thus, if you are a licensee of Connecticut, but are doing business with a company that is based in Nevada, but was created in Connecticut and there is a privacy related data breach, you have five days to notify the CID of the issue. This may not seem like much now, but imagine if Delaware were to put forth the same type of bulletin. The potential impact of such a directive could be not only widespread, but potentially very costly.
The bottom line is that if you are a licensee of Connecticut and you want to avoid privacy litigation or other administrative foibles, you are best served to enact a policy or procedure within your protocols to address privacy breaches and the requisite notice to keep yourself out of trouble. And be prepared that your post-breach communications will be scrutinized,so I recommend you have your technology legal counsel peruse them beforehand.
If you are the rest of the country, you should watch with moderate apprehension and wonder pensively, "when will this come to my state?"
A copy of the bulletin can be found here. Read and be merry!
•Date of the incident
•Description of incident (how information was lost, stolen, breached)
•How discovered
•Has lost, stolen, or breached information been recovered and if so, how
•Have individuals involved in the incident (both internal and external) been
identified
•Has a police report been filed
•Type of information lost, stolen, or breached (equipment, paper, electronic, claims, applications, underwriting forms, medical records etc)
•Was information encrypted
•Lost, stolen or breached information covers what period of time
•How many Connecticut residents affected
•Results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed
•Identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur.
•Copies of the licensee/registrants Privacy Policies and Data Breach Policy.
•Regulated entity contact person for the Department to contact regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant)
•Other regulatory or law enforcement agencies notified (who, when)
Further, the Department will want to review, in draft form, any communications intended to be sent to "affected insureds, members, subscribers, policy holders or providers". Finally, there is no specific penalty identified for failure to provide the requisite note, but THE CID does make reference to the potential for "imposition of administrative penalties". Of course, when you are dealing with agency that provides you with the license to practice in their state, you should plan on playing by their rules.
This requirement comes on the heels of a rather unparalleled piece of privacy litigation that arose back in January, 2010. You may recall, that the Connecticut Attorney General filed suit against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information for its Connecticut enrollees. The AG, Richard Blumenthal, is utilizing the power granted to him under the Health Information Technology for Economic and Clinical Health Act (HITECH) to enforce HIPAA (Health Insurance Portability and Accountability Act) violations by Health Net and other health care providers that allowed for the privacy breach.
One can only assume that the CID did not like the fact that they weren't in the loop on those breaches early enough to protect the citizenship more. However, while this is interesting from a general knowledge of what is going on in Connecticut perspective, I see two greater privacy litigation issues that could arise from this type of bulletin. First, it is rare for one state to stand alone on a directive or issue. Thus, it is likely that other state's Department of Insurance will pick up on this and think, "I should do that too!" It goes without saying that the more widespread these requirement span, the greater their impact. Secondly, I think the fact that the implications of this bulletin are going to be more widespread than one might initially think. You have to remember that corporate citizens are citizens too. It is not uncommon for insurance and health care companies to register in every state. Thus, if you are a licensee of Connecticut, but are doing business with a company that is based in Nevada, but was created in Connecticut and there is a privacy related data breach, you have five days to notify the CID of the issue. This may not seem like much now, but imagine if Delaware were to put forth the same type of bulletin. The potential impact of such a directive could be not only widespread, but potentially very costly.
The bottom line is that if you are a licensee of Connecticut and you want to avoid privacy litigation or other administrative foibles, you are best served to enact a policy or procedure within your protocols to address privacy breaches and the requisite notice to keep yourself out of trouble. And be prepared that your post-breach communications will be scrutinized,so I recommend you have your technology legal counsel peruse them beforehand.
If you are the rest of the country, you should watch with moderate apprehension and wonder pensively, "when will this come to my state?"
A copy of the bulletin can be found here. Read and be merry!
Powered by Compendium
Comments for Connecticut Insurance Deparment Requires Notification of Privacy Security Breaches