Search form

Connecticut Adds Significant Data Security Mandates for State Contractors, Certain Health Insurance Industry Businesses

By Joseph J. Lazzarotti and Jeffrey M. Schlossberg
  • July 23, 2015

Connecticut has amended its breach notification statute to require that covered businesses provide one year of identity theft protection services to persons affected by certain breaches of their personal information.

Senate Bill 949 also establishes significant data security requirements for entities contracting with state agencies and entities in the health insurance and administration business (e.g., health insurance insurers, pharmacy benefits managers, and third-party administrators). In addition, the law mandates that smartphones sold in the state have hardware or software that will allow an authorized user to disable his or her phone’s “essential features.” Many such devices already contain this feature.

The law has implications beyond the businesses to which it applies directly. For example, professional service providers and other businesses working with covered state contractors or health insurance businesses in Connecticut might find that the new mandates apply to them by contract when they are asked to perform services that involve access to the same personal information triggering these requirements for the covered contractors and businesses. Moreover, employers regularly work with third-party administrators, pharmacy benefit managers, and other health insurance businesses in the administration of their group health plans for employees. These employers should consider ensuring that these entities are compliant with the new mandates.

Contractors Must Implement Data Security Program

Entities that have contracts with the state and receive “confidential information” from state agencies are required to implement and maintain a “comprehensive data-security program,” including the use of security policies, annual reviews of such policies, access restrictions, and mandatory security awareness training for employees beginning July 1, 2015.

“Confidential Information” is defined broadly to include: name, date of birth, mother’s maiden name, driver’s license number, Social Security number, health insurance identification number, and bank and credit card account numbers. Confidential Information also includes protected health information under HIPAA (the Health Insurance Portability and Accountability Act), as well as any information that a state contracting agency identifies as confidential to the contractor.

These entities’ policies, at the minimum, must restrict access to Confidential Information only to authorized contractor employees, maintain the Confidential Information in secure servers with firewall protections, and implement security and breach investigation procedures. Their programs must be reviewed annually and include ongoing employee security awareness program. Further, the contractors must provide to the state Attorney General and the contracting agency a report detailing breaches or suspected breaches, including a plan to mitigate the effects of a breach, or report why the contractor believes no breach occurred.

Beyond safeguarding the data, the law adds limitations on how a contractor can use, maintain, and disclose the Confidential Information received from state agencies. For example, the contractor cannot store Confidential Information on stand-alone computers or notebooks or portable storage devices, such as USB drives. This provision has limited exceptions. Additionally, a contractor may not copy, reproduce, or transmit Confidential Information except as necessary to complete the contracted services. Because of the way many businesses perform their services today (e.g., utilizing flash drives and allowing employees to work from home, perhaps with their own computers), the new mandates may require significant changes in current practices.

Significantly, contractors who are “business associates” of a state agency as defined under HIPAA may have to do more than comply with the HIPAA privacy and security regulations. The HIPAA privacy and security rules establish a floor of protections that can be exceeded by more stringent protections at the state level. Although the Connecticut law provides that “nothing in [the law] shall be construed to supersede a contractor’s obligations pursuant to” HIPAA, state contractors in Connecticut that are business associates will have to revisit their HIPAA policies and procedures to ensure compliance with the state mandates. Of course, state contracts could impose additional security obligations on the contractor, beyond what is provided in the statute.

Like HIPAA, there is no private right of action under the Connecticut law for violations of its requirements. However, the law authorizes the state Attorney General to bring a civil action in the name of the state against a contractor who violates the statute.

Health Insurance Businesses Must Step Up Data Security

Beginning October 1, 2017, any health insurer, health care center, pharmacy benefits manager, third-party administrator, utilization review company, or entity that is licensed to do health insurance business in Connecticut must implement and maintain a “comprehensive information security program to safeguard the personal information of insureds.” Examples of the safeguards the program must include are:

  • secure computer and Internet user authorization protocols, e.g., control of user identification, a reasonably secure method of assigning a password, control of security passwords, restrictions on access only to active users, and blocking of access after multiple unsuccessful attempts to gain access;
  • secure access control measures that include, but are not limited to, restriction of access to personal information only to those who require such data to perform their job duties, passwords that are not default passwords and are reset at least every six months, encryption of all personal information while being transmitted on a public Internet network or wirelessly, encryption of all personal information stored on a laptop computer or other portable device, and monitoring of company security systems for breaches of security;
  • designation of one or more employees to oversee the security program;
  • identification and assessment of reasonably foreseeable internal and external risks to the security of the personal information;
  • development of employee security policies;
  • imposition of disciplinary action on employees for violating security policies;
  • prevention of terminated employees from accessing personal information;
  • annual review of the scope of the secure access control measures; and
  • mandatory post-incident review.

Many of these entities are covered by the HIPAA privacy and security regulations, whether as covered entities (e.g., health insurance issuers) or business associates (e.g., pharmacy benefits managers, and third-party administrators). However, as with the application of the new rules for certain state agency contractors, some of Connecticut’s requirements will go beyond the basic HIPAA regulatory mandates. For example, the Connecticut law requires passwords be changed at least every six months, something that is not expressly required under HIPAA. In addition, like the data security mandates in Massachusetts, the Connecticut law requires encryption of all personal information while being transmitted on a public Internet network or wirelessly and stored on a laptop computer or other portable device. Moreover, under the Connecticut law, the state’s Insurance Commissioner or Attorney General may demand a copy of a covered businesses’ written information security program (WISP) and require changes to the program that the Commissioner or Attorney General believes are necessary. In addition, beginning October 1, 2017, covered health insurance businesses must certify annually to the Insurance Department, under penalty of perjury, that they maintain a comprehensive information security program that complies with the law’s requirements.

Smartphones Sold in Connecticut Must Include Disabling Feature

Starting in July 1, 2016 (through July 1, 2017), retailers of new smartphones in Connecticut must offer smartphones with either hardware or software that will allow an authorized user to disable the phone’s “essential features” to an unauthorized user.

Implications

Businesses covered by the new requirements must take stock of their current operations, policies, and procedures to determine whether they are in compliance. This takes time and only after careful assessment and analysis. Turning this task over to the company’s “IT guy” is likely not the best approach. The security programs contemplated by these new mandates (and those in other states, such as California, Florida, Maryland, Massachusetts, and Oregon) go beyond the functioning of an organization’s electronic information systems. The role of IT is no doubt critical, but these mandates require consideration of administrative and physical safeguards, as well as technical safeguards. They envision careful assignment of access to personal data based on particular need. They seek broad awareness of the safeguards throughout an organization that is accomplished through training and other measures. They mandate incident response planning, a function involving key decision makers in an organization so they know what to expect and their responsibilities in the event of a data breach. They require organizations to obligate their third-party service providers to adhere to similar standards. In short, they contemplate a wholesale, enterprise-wide, regularly reviewed approach to securing personal information that changes and develops with the organization.

Data security laws often reach beyond the entities directly affected by them. This is because to provide their services, directly covered entities will have to work with other businesses that would need access to the personal information driving the laws’ mandates. Accordingly, the safeguards flow downstream, at least through contract.

This is a general summary of the changes. Because of the complexities involved in this area, businesses would be well-served to address specific scenarios with the assistance of counsel.

©2015 Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.

Reproduction of this material in whole or in part is prohibited without the express prior written consent of Jackson Lewis P.C., a law firm that built its reputation on providing workplace law representation to management. Founded in 1958, the firm has grown to more than 900 attorneys in major cities nationwide serving clients across a wide range of practices and industries including government relations, healthcare and sports law. More information about Jackson Lewis can be found at www.jacksonlewis.com.

See AllRelated Articles You May Like

August 1, 2019

Healthcare Organizations, Is Your Patient Portal Secure?

August 1, 2019

Healthcare organizations’ traditional cybersecurity measures are insufficient against today’s cyberattacks, according to a report from LexisNexis® Risk Solutions and the Information Security Media Group released in July 2019. Even as healthcare organizations embrace new technologies (such as patient portals), the report shows that... Read More

July 26, 2019

New York Enacts SHIELD Act, Adding Data Security Requirements and Strengthening Data Breach Requirements

July 26, 2019

New York has enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to amend the state’s data breach notification law to impose more expansive data security and data breach notification requirements on companies. The move aims to ensure New York residents are better protected against data breaches of their private... Read More

July 10, 2019

2019: The Mid-Year Outlook for Employers

July 10, 2019

The first six months of 2019 have proven to be busy, challenging professionals in the labor and employment communities to keep up with a number of newly enacted laws and regulations. In the 2019: Mid-Year Outlook for Employers, Jackson Lewis attorneys provide a snapshot of activity from the first half of the year as well as a preview of... Read More