July 28, 2015
On June 30, 2015, Gov. Malloy signed SB 949 into law. The law updates Connecticut’s data security laws and adds stringent new requirements to protect an individual’s confidential information.
The law creates the requirement for a comprehensive information security program. By October 1, 2017, health insurers, HMOs, and certain entities regulated by the Connecticut Insurance Department (e.g. pharmacy benefits managers and TPAs), must implement and maintain a comprehensive information security program to safeguard an insured’s and enrollee’s personal information. It specifies program requirements including encryption of personal information and disciplinary procedures for employees who violate the security policies, requires the program to be updated at least annually and requires the entities to offer at least one year of free identity theft prevention and mitigation services if there is an actual or suspected breach.
The law also adds a 90-day deadline for data breach reporting, which is applicable to anyone who conducts business in Connecticut. Generally, it requires the person to notify impacted state residents of a breach within 90 days after discovering it and offer at least one year of free identity theft prevention and mitigation services.
Both of these updates are effective Oct. 1, 2015.
Senate Bill 949 »