A new Connecticut law will require many insurance agencies to implement cybersecurity programs. The requirements take effect in less than two months.
The Insurance Data Security Law
requires Connecticut licensees to develop, implement and maintain a
comprehensive written information security program based on a risk
assessment. The programs must include the administrative, technical and
physical safeguards for protecting their information systems and the
nonpublic information stored in them. The deadline for implementing the
program is October 1, 2020. The program must be commensurate with:
- The size and complexity of the licensee
- The
nature and scope of the licensee's activities, including, but not
limited to, the licensee's use of third-party service providers, and
- The sensitivity of the nonpublic information the licensee uses or has in its possession, custody or control.
Licensees
are also required to perform due diligence when they select third party
service providers with whom they will do business. By Oct. 1, 2021,
they must require these providers to implement their own information
security programs. These programs must safeguard licensees' systems and
nonpublic information to which the providers have access.
If a cybersecurity event occurs, the licensee must:
- Launch a prompt investigation
- Notify the Insurance Department
- Notify all individuals whose nonpublic information may have been accessed.
Insurers who experience cybersecurity events must notify the producer of record no later than when they notify the consumers.
Penalties for non-compliance are up to $50,000 per violation.
Some licensees are exempt from the law's requirements:
- Between Oct. 1, 2020 and Sept. 30, 2021, licensees with fewer than 20 employees including independent contractors
- On and after Oct. 1, 2021, licensees with fewer than 10 employees including independent contractors
- Licensed employees, agents, representatives or designees of licensees
Big I Connecticut successfully fought for the exemptions for small agencies.
Others are considered to be compliant if they meet other requirements:
- Licensees who are subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Licensees who are compliant with the requirements of another jurisdiction approved by the Connecticut Insurance Department
The
department may issue regulations that name the jurisdictions. Licensees
who comply this way must submit a certification to the department by
Feb. 15 each year.
For more information, see Insurance Department Bulletin IC – 42.