We previously reported that several states, including Connecticut [view related post] and Rhode Island [view related post], have adopted data security requirements, similar to the Commonwealth of Massachusetts’ data security regulations that have been in effect since 2010. The compliance dates for different sections of the Connecticut data security standards were July 1, 2015, October 1, 2015, July 1, 2016, and October 1, 2017. We are working with clients on compliance with these new laws, and thought it would be beneficial to remind everyone about the provisions and upcoming compliance deadlines.
This week we will point out some important dates and compliance issues that are set forth in the Connecticut data security law, and next week, we will focus on the new provisions in the Rhode Island data security law. Of course, this assumes that companies with Massachusetts residents’ personal information are already complying with the Massachusetts data security regulations and have a Written Information Security Program in place (i.e. if you have any Massachusetts employees).
Here is a cheat sheet for CT (this list is not exhaustive, but informative only):
As of July 1, 2015:
All state agencies must require by contract that all state agency contractors:
- “Implement and maintain a comprehensive data-security program for the protection of confidential information….which shall include: (A) security policy for contractor employees related to the storage, access and transportation of data containing confidential information; (B) reasonable restrictions on access to records containing confidential information, including the area where such records are kept and secure passwords for electronically stored records; (C) a process for reviewing policies and security measures at least annually; and (D) an active and ongoing employee security awareness program that is mandatory for all employees who may have access to confidential information provided by the state contracting agency that, at a minimum, advises such employees of the confidentiality of the information, the safeguards required to protect the information and any applicable civil and criminal penalties for noncompliance pursuant to state and federal law”
- Limit access to state confidential data
- Maintain state confidential information in secure servers with firewall protection and intrusion detection
- Implement a data breach investigation and response procedure
- Appropriately store state confidential information
What does this mean if you are a company that contracts with the State of Connecticut? These requirements apply to you and if you do not have these measures in place, you might consider implement policies and procedures so you are not at risk of losing a state contract.
As of October 1, 2015, (effective October 1, 2017):
All health insurers, health care centers or other entity licensed to do health insurance business in the state, pharmacy benefits manager, third party administrator, and utilization review company:
- shall implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company. We call it a CISP.
- The CISP must be in writing
- The CISP must contain administrative, technical and physical safeguards appropriate to the size and scope of the company
- The CISP shall be updated as necessary and practicable, but at least annually
- The CISP must contain very specific security requirements outlined in the law (Sections A-L)
As of October 1, 2017 those companies must:
- Certify annually to the Insurance Department…that is maintains” a CISP that complies with the law
- Provide a copy of the CISP to the Attorney General or Insurance Commissioner as requested
So the Privacy Tip for this week is “Get in Compliance.” It’s never too early.