On July 20, 2020, the Connecticut Insurance coverage Division issued a bulletin to licensees reminding them that the Connecticut Insurance coverage Knowledge Safety Legislation (“Act”) turns into efficient on October 1, 2020 and offering steering on compliance.
The Act requires “all individuals who’re licensed, approved to function or registered, or required to be licensed, approved or registered pursuant to the insurance coverage legal guidelines of Connecticut” to “develop, implement and keep a complete written data safety program (“ISP”) that complies with” the Act “not later than October 1, 2020.” The Act typically applies to home insurers and well being care facilities, with some exemptions.
The Act requires the licensee’s ISP to be based mostly upon a threat evaluation “and comprise safeguards for the safety of nonpublic data and the licensee’s data methods commensurate with the dimensions and complexity of the licensee, its actions, together with use of third-party companies suppliers, and the sensitivity of the nonpublic data utilized by the licensee or in its possession, custody or management.”
The bulletin reminds that until a licensee is exempted, the licensee should carry out due diligence on its third-party service suppliers and require these third-party service suppliers to implement applicable administrative, technical and bodily measures to guard the data disclosed to the third-party service supplier by the licensee. Though not specified within the bulletin, licensees could want to contemplate documenting such measures by safety questionnaires and written contractual obligations.
All licensees (apart from these licensees exempt from the regulation) should present written affirmation to the Insurance coverage Commissioner on February 15, 2021 and yearly thereafter certifying that it’s in compliance with the Act. Documentation of plans for materials enhancements, updates or remedial efforts should be maintained by the licensee and be “accessible for inspection by the Insurance coverage Division.”
The bulletin outlines intimately the obligations of licensees following a cybersecurity assault or occasion. Just like the New York Division of Monetary Providers Cybersecurity Laws, the Act requires licensees to inform the Insurance coverage Commissioner “as promptly as doable, however in no occasion later than three (3) enterprise days after the date of the cybersecurity occasion” if the licensee is domiciled within the State of Connecticut or the licensee believes that the occasion entails greater than 250 residents of the State of Connecticut and notification to people is required by state or federal regulation or the licensee believes that the occasion has “an inexpensive probability of materially harming any client residing in Connecticut….” The notification will probably be by the Insurance coverage Commissioner’s web site and will probably be accessible by October 1, 2020.
The bulletin reminds licensees that it has the ability to look at and examine compliance with the Act and to impose penalties for noncompliance. Nonetheless, the bulletin states that due to COVID-19, the Division “intends to train applicable discretion in evaluating the details and circumstances of a licensee’s compliance…and within the imposition of sanctions for noncompliance.” The bulletin additional states that the Division is not going to impose sanctions in opposition to a licensee if it fails to file its annual certification of compliance by February 15, 2021 so long as the certificates of compliance is filed by April 15, 2021. Nonetheless, if a licensee is unable to file the certification on a well timed foundation as a result of COVID-19, the licensee “is urged to contact the Insurance coverage Division Market Conduct Division to clarify why it’s unable to file by the deadline.
Licensees could want to contemplate prioritizing compliance with the Act now and develop and implement its ISP to be prepared for each the October 1, 2020 compliance deadline, and the February 15, 2021 certification deadline.
Copyright © 2020 Robinson & Cole LLP. All rights reserved.Nationwide Legislation Evaluation, Quantity X, Quantity 211