On July 26, 2019, Connecticut Governor Ned Lamont signed into the law the state’s new Insurance Data Security Law, which imposes new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department (“CID”). In doing so, Connecticut joins New York, South Carolina, Ohio, Michigan, and Mississippi as states that have enacted information security laws for insurance companies. However, whereas the recent trend has been to follow the 2018 Model Act published by the National Association of Insurance Commissioners (“NAIC”), Connecticut largely followed the New York Department of Financial Services’ 2017 Cybersecurity Regulations.
The Connecticut law will require companies to maintain an information security program that is commensurate with the size and complexity of the size and complexity of the licensee’s operations; perform regular risk assessments; and designate a responsible individual to oversee the information security program. The law also requires oversight by the licensee’s board of directors and annual certification of compliance to the CID. Licensees will also have to report cybersecurity incidents to the CID within three business days. The law is effective October 1, 2019, but gives licensees until October 1, 2020 to implement their security programs.
While the Connecticut law does not break new substantive ground, it is significant for two reasons. First, Connecticut’s law demonstrates that states have not uniformly adopted the NAIC model over the NYDFS model. And, while the NYDFS and NAIC models are similar, there are important differences in the details. Second, regardless of which model is chosen, Connecticut’s law highlights the fact that insurance companies operating across multiple states will have different obligations, especially with respect to breach notification. Accordingly, insurance licensees should ensure that they are staying abreast of developments and prepared to comply with the changing patchwork of laws and regulations.