Connecticut Governor Daniel Malloy recently signed into law, Public Act No. 15-142- AN ACT IMPROVING DATA SECURITY AND AGENCY EFFECTIVENESS (the “Act”). The Act, effective July 1, 2015, addresses data security on a variety of fronts.
One provision of the Act requires businesses to disclose a security breach to the Attorney General within 90 days after the breach is discovered. Failing to do so constitutes an unfair trade practice under the Connecticut Unfair Trade Practices Act. The Act also requires businesses to provide identity theft protection and identity theft mitigation services.
The Act also requires contractors receiving confidential information from a state agency to have an active data security program, limiting access to the information, and using preventive technology, as well as having a breach investigation system in place.
The final provision of the Act requires health insurers to implement a written comprehensive information security program by October 2017. The written programs must outline the safeguards the insurer has in place to protect the personal information of its insureds and enrollees. The programs must be updated annually and the insurer must offer at least one year of free identity theft prevention and mitigation services if a breach occurs.