One of the many questions business owners have to answer upon learning of a data loss or security breach incident is whether to notify governmental authorities and when to do it. The Connecticut Insurance Department has provided a new regulation for insurers and agents in a bulletin on August 18, 2010. The new regulation requires immediate notification to the Department in writing, but no later than 5 days, upon a security incident involving personal identifiers.
The Insurance Department defined a security incident requiring notification as follows:
The Department considers an information security incident to be any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.
This new regulation may have been issued in response to some concerns Attorney General Blumenthal expressed over the Heatlh Net data loss. In particular, Blumenthal was critical of the late (6 months) and inaccurate notice concerning the data loss.
Five days is a very short time frame, let alone responding immediately. It would be very difficult for companies falling under this regulation to meet this notice requirement effectively without already having a privacy plan in place to respond to such an event. I have posted before about the necessity for a privacy plan to addresses data loss and security breach incidents. With these type of notice provisions, privacy plans become more critical as a risk management tool for insuers and agents to avoid administrative penalities.