An important section of the recent budget bill adopted by the state of Connecticut demonstrates that regulatory fever has become contagious, at least as far as data security is concerned. Section 230 of the recently adopted bill sets forth a comprehensive set of cybersecurity regulations for the state’s insurers, requiring them to comport with guidelines modeled after those developed by New York State’s Department of Financial Services (DFS).1 Connecticut insurers will now have to develop a “comprehensive written information security program,” evaluate the efficacy of that program “not less than annually,” and periodically aver to the state’s Insurance Commissioner that the law’s provisions are being followed.2 In addition, the law requires that insurers establish strict cybersecurity regulations for third parties and develop “incident response plan[s]” to recover in the wake of a cyberattack.3

The data security law also establishes a comprehensive enforcement regime to investigate and punish noncompliance. Under the provisions of Section 230, the state’s Insurance Commissioner has a broad investigative power to verify compliance with the new regulations.4 Furthermore, the Commissioner retains the power to punish recalcitrant insurers by revoking business licenses and issuing fines of up to fifty thousand dollars (provided that the offending firms have not shown themselves to be exempt in an evidentiary hearing).5 The law does contain some exceptions, however. For a one-year period between 2020 and 2021, insurers with fewer than twenty employees will be exempt from the law’s requirements, and from 2021 on insurers with fewer than ten employees will be exempt.6 Moreover, those firms already compliant with the requirements set forth in the Health Insurance Portability and Accountability Act of 1996 (a federal statute)7 are exempted from the Connecticut law if they can certify their compliance to state regulators.8 Nevertheless, compliance figures to be costly for Connecticut insurers.

As discussed on this blog previously, however, the cost of a cyberattack can often far outstrip the cost of compliance with cybersecurity regulations. This goes double for insurance companies, especially because such firms often possess “high-value consumer information, such as sensitive personal information, health information and payment card information.”9 Thanks to the creation of cybersecurity insurance, insurers are often left holding the bill in the wake of a devastating cyberattack elsewhere. Because they have presumably processed numerous such claims, they should know better than anyone else the true cost of a data breach. The aid of knowledgeable legal professionals and a healthy dose of common sense are all that stand in the way of cost-saving compliance with Connecticut’s new cybersecurity regulations.

1. https://www.natlawreview.com/article/connecticut-budget-includes-insurance-data-security-law
2. https://www.cga.ct.gov/2019/act/pa/pdf/2019PA-00117-R00HB-07424-PA.pdf
3. Ibid
4. Ibid
5. Ibid
6. Ibid
7. Better known as HIPAA
8. https://www.cga.ct.gov/2019/act/pa/pdf/2019PA-00117-R00HB-07424-PA.pdf
9. https://www.stradley.com/-/media/files/publications/2017/05/landon—cyber-attacks-targeting-insurers.pdf

Tags: Cybersecurity, Joseph Pastore