Following on the heels of Health Net's recent settlement with the Connecticut Attorney General for alleged failure to secure medical records and financial information and promptly notifying consumers and regulators of the breach, the Insurance Department issued a bulletin on August 18, 2010 mandating immediate notification to the Department of data breaches by licensees and registrants of the Department. The new insurance bulletin addresses the delayed notification concern by providing that the Insurance Department may impose administrative penalties on licensees and registrants that fail to quickly and affirmatively notify the Department and consumers of the risks posed by a data breach.
The triggering event requiring notification is the occurrence of an "information security incident." Such an incident is defined as
"any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers."
The definition of information security incident is noteworthy for its breadth of coverage. First, unlike Connecticut's breach notification statute, whose application is limited to electronic files, media, databases, or computerized data, the Insurance Department's bulletin covers paper and other hard-copy media as well. Second, the breach notification statute does not apply to a breach involving encrypted data; The Department's bulletin applies to encrypted data. And third, the breach notification statute excuses notification if federal, state and local law enforcement agencies concur that the breach will not likely result in harm to individuals; the Department's bulletin contains no such exception.
Although the bulletin covers a breach involving "personal information," those words are not defined. Interestingly, Connecticut adopted a statute a couple of years ago that imposes safeguarding and disposal requirements on persons who possess "personal information" belonging to third parties. In that statute, personal information is defined to include Social Security numbers, drivers' license numbers, state identification card numbers, account numbers, credit or debit card numbers, passport numbers, alien registration numbers, and health insurance identification numbers. This list is not exhaustive, however. Personal information is any "information capable of being associated with a particular individual through one or more identifiers." Perhaps the Insurance Department will refer to that statute for guidance.
Any information security incident that affects any Connecticut resident must be reported in writing to the Insurance Department as soon as the incident is identified, but not later than five (5) calendar days after the incident is identified. Notification should include as much of the following as is known:
The Insurance Department will want to review, in draft form, any communications proposed to be made to affected parties advising them of the incident. And depending on the type of incident and information involved, the Department also will want to have discussions regarding the level of credit monitoring and insurance protection that the Department will require to be offered to affected consumers and for what period of time.
Finally, it is the responsibility of the licensee or registrant to report information security incidents at or by its vendors or business associates that have the potential to affect personal health, financial or personal information of a Connecticut insured, member, subscriber, policyholder, or provider.
If you have questions about the Insurance Department's bulletin, please contact one of the lawyers listed above, members of Day Pitney's Data Protection Task Force. The Task Force continually monitors privacy and data security legislation and regulations in all states and counsels clients on all aspects of privacy and data security laws, including providing the following services:
 Connecticut Attorney General's Office, Press Release, Attorney General Announces Health Net Settlement Involving Massive Security Breach Compromising Private Medical and Financial Info (July 6, 2010).
 State of Connecticut Insurance Department, Bulletin IC - 25 (August 18, 2010).
 Conn. Gen. Stat. §36a-701b (January 1, 2006).
 Conn. Gen. Stat. § 42-471 (October 1, 2008).
Elizabeth Latif will be a featured speaker during a panel discussion, entitled, "Cyber Security for Lawyers in the Hackable World," for the American College of Investment Counsel's 2017 Spring Investment Forum.
Steven Cash co-authored an article, "Evolution of a Valuable Tool for Attorneys: Business Intelligence Practitioners," for the New York Law Journal.
Jed Davis authored an article, "Cybersecurity for Family Offices," for Trusts & Estates.
Jed Davis will be a featured panelist in a CLE program titled, "Electronic Information in Criminal Cases, (click on title to register), sponsored by the Data Law Initiative at Cardozo Law School and the New York State Bar's Commercial and Federal Litigation Section.
Jed Davis will be featured in a Trusts & Estates webinar, "Cybersecurity for Family Offices," on Tuesday, February 7, at 2:00 p.m.
Susan Huntington and Eric Fader were quoted in an article, "Growing HIPAA Focus Leads To Fresh Compliance Options," published in Law360.
On January 5, Day Pitney hosted a speech by Robert L. Capers, the U.S. Attorney for the Eastern District of New York, to the White Collar Crime Committee of the American Bar Association's Business Law Section (WCCC) at the firm's New York City office.
Jed Davis was quoted in a breaking news article, "New York eases proposed cyber regulations after industry complaints," published by Reuters.
Jed Davis was quoted extensively in an article, "Day Pitney Adds Cyber Expert Jed Davis to White Collar Defense Practice," in Legaltech News.
New York, July 5, 2016 - Day Pitney LLP announced today that Jed Davis has joined the firm's New York office as a partner in the Government Enforcement and White Collar Criminal Defense practice, focusing on cybersecurity, data protection and other cyber-driven cases. Davis' practice includes investigations, criminal prosecutions and civil litigation arising from data breaches, hacking, and intellectual property theft, as well as internal cybersecurity reviews.