On February 26, Bill No. 1024, titled "An Act Concerning the Security of Consumer Data," was introduced in the Insurance Committee of the Connecticut General Assembly. The bill requires health insurers, healthcare centers (a particular type of health insurer under Connecticut law that is akin to an HMO) and "other entities licensed to do health insurance business in Connecticut," pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies to implement data security technology that encrypts the personal information of insureds and enrollees compiled or maintained by the entity. The phrase "other entities licensed to do health insurance business in Connecticut" is undefined in the legislation and has the potential to be construed broadly, thereby effectively expanding the universe of entities to which this legislation could be deemed to apply.
The bill defines "encrypt" as "the transformation of electronic data into a form in which meaning cannot be assigned without the use of a confidential process or key." The term "personal information" is defined to mean an individual's first name or initial and last name in combination with one or more of the following: Social Security number, driver's license number or other state identification number, address, or identifiable health information. The bill requires the Connecticut Commissioner of Insurance to promulgate regulations, in consultation with the Connecticut Commissioner of Consumer Protection, to establish minimum data security standards and to implement the requirements of the bill.
The data security technology requirements must be implemented no later than two years after the effective date of the bill, and entities subject to the law will be required to update their technology as necessary to ensure compliance with the requirements.
Bill No. 1024, which is modeled in part on a similar New Jersey data encryption law passed in January, was introduced by Connecticut State Senate Democrats in the aftermath of the Anthem Health Insurance data breach in early February. According to a release by State Senate Democrats, Anthem is one of Connecticut's largest health insurers and the data breach impacted more than 1.1 million people in the state.
Like the New Jersey law, the Connecticut legislation mandates the use of encryption but is silent as to other measures that insurers can or should take to make it more difficult for attackers to access the systems containing the encrypted information. It remains to be seen how the legislation will evolve as it makes its way through the Connecticut legislative process.
Eric Fader authored a chapter in the 2017 edition of Westlaw's "Data Security and Privacy Law" treatise, published by Thomson Reuters.
Steven A. Cash, Benjamin H. Nissim and David Forscey, policy analyst for the Homeland Security & Public Safety Division of the National Governors Association, co-authored an article, "Cybersecurity Is The Next Frontier Of State Regulation," for Law360.
On March 15, Eric Fader will be presenting a live webinar, "Navigating Legal Issues in Neuromonitoring," for The American Society of Neurophysiological Monitoring (ASNM).
On January 30, Jed Davis will speak at The Knowledge Group Webcast, "Best Strategies in Protecting Your Firm Against Hackers: What Hackers Can and Cannot Do?"
Susan Huntington authored a chapter, "Enterprise Risk Approach to Successful Population Management," in the recently published third edition of the "Enterprise Risk Management Handbook for Health Care Entities."
Eric Fader was quoted in an article, "HHS Offers Health-Care Companies Cyberattack Response Checklist," published in Bloomberg BNA's Privacy Law Watch.
Eric Fader was quoted in an article, "Does the Health-Care Industry Have a Handle on Cybersecurity?," published in Bloomberg BNA's Health Care Blog.
Eric Fader was quoted in an article, "Blue Cross Exec Tests HIPAA By Describing $12M Patient," published in Law360.
Day Pitney Press Release
Eric Fader was quoted in an article, "Trump Budget Anticipates Spending, Net Savings From Fighting Health Fraud," in Bloomberg BNA's Health Care Fraud Report.