We previously outlined the requirements of the Connecticut data breach law when it was amended in 2015, including the requirement to implement a comprehensive information security program (CISP).

The law requires that Third Party Administrators (TPAs) and Pharmacy Benefit Managers (PBMs) must implement a CISP by October 1, 2017, and certify to the Connecticut Insurance Department that they maintain a CISP in compliance with the statute.

The Connecticut Insurance Department has issued a Bulletin (MC-23) reminding those entities that fall under the law (including TPAs and PBMs) that they must have the CISP in place by October 1, 2017, and certify that it is in place using the certification attached to the Bulletin [access the certification here].

The October 1 deadline is approaching, so if you are a TPA or PBM, implementation of your CISP is high priority.