UPDATE: In this alert, issued on July 1, we noted there has been some uncertainty around the compliance date for Connecticut's new Insurance Data Security Law, as a result of the pandemic-shortened 2020 General Assembly session. That issue is addressed directly in CID's Bulletin IC-42, dated July 20, 2020, affirming the effectiveness date of October 1, 2020, along with providing extensive guidance on the IDSL's security program and cyber event provisions. Under IDSL, licensees must certify compliance with the security program requirements each February 15. However, the bulletin states that in 2021, sanctions will not be imposed so long as the licensee's compliance certification is filed by April 15. Lastly, any licensee that will be unable to timely comply with the IDSL's new requirements due to the COVID-19 situation is urged to contact the CID's Market Conduct division and provide a description of the circumstances preventing such compliance.
When must Connecticut's large insurance licensees have their data security programs up and running? In last year's alert, we noted that the state's Insurance Data Security Law (IDSL) requires licensees with 20 or more employees to have their security programs in place no later than October 1, 2020. In December, however, the Connecticut Insurance Department (CID) included in its 2020 legislative package a provision to delay the security program compliance date until October 2021. As we know, the 2020 session was forced into early adjournment by the pandemic, and the delaying amendment was never adopted. Although a special legislative session is planned for later this month, it remains unclear today—less than 90 days from the compliance date—whether CID's amendment will make it onto what is likely to be a limited agenda. Therefore, October 1, 2020, for now continues to be the operative security program target date for larger licensees.
With less than three months until the IDSL's detailed security program requirements go into effect, ensuring compliance with CGS Sec. 38a-38(c) needs to be a priority for every large licensee. Certification of compliance with the CID will be required in February 2021, and requirements for smaller licensees and for all third-party service providers become effective in October 2021. Note also: IDSL provides that "each information security program shall be commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities ..." (Emphasis added.) Increased reliance on digital communication and electronic record-keeping in a work-from-home environment will make it important that each licensee carefully assess whether (and how) the COVID-19-driven changes to their particular business operations have affected the adequacy of information security programs they have developed prior to the pandemic.
For more Day Pitney alerts and articles related to the impact of COVID-19, as well as information from other reliable sources, please visit our COVID-19 Resource Center.
COVID-19 DISCLAIMER: As you are aware, as a result of the COVID-19 pandemic, things are changing quickly and the effect, enforceability and interpretation of laws may be affected by future events. The material set forth in this document is not an unequivocal statement of law, but instead represents our best interpretation of where things stand as of the date of first publication. We have not attempted to address the potential impacts of all local, state and federal orders that may have been issued in response to the COVID-19 pandemic.
 Originally enacted as Sections 230 and 231 of the 2019 Budget Act (Connecticut P.A. 19-117), the IDSL is now codified in the 2020 Supplement at C.G.S. Sec. 38a-38.
 C.G.S. 38a-38(c).The IDSL exempts licensees with fewer than 20 employees from the information security plan requirement until October 1, 2021, and exempts those with fewer than 10 employees indefinitely.