Only Five Days To Report Data Breach For Insurers And Agents In Connecticut

Posted on August 31, 2010 by N. Kane Bennett

One of the many questions business owners have to answer upon learning of a data loss or security breach incident is whether to notify governmental authorities and when to do it.  The Connecticut Insurance Department has provided a new regulation for insurers and agents in a bulletin on August 18, 2010.  The new regulation requires immediate notification to the Department in writing, but no later than 5 days, upon a security incident involving personal identifiers.  

The Insurance Department defined a security incident requiring notification as follows: 

The Department considers an information security incident to be any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well being of the affected insureds, members, subscribers, policyholders or providers.

 This new regulation may have been issued in response to some concerns Attorney General Blumenthal expressed over the Heatlh Net data loss.  In particular, Blumenthal was critical of the late (6 months) and inaccurate notice concerning the data loss.

Five days is a very short time frame, let alone responding immediately.  It would be very difficult for companies falling under this regulation to meet this notice requirement effectively without already having a privacy plan in place to respond to such an event.  I have posted before about the necessity for a privacy plan to addresses data loss and security breach incidents.  With these type of notice provisions, privacy plans become more critical as a risk management tool for insuers and agents to avoid administrative penalities.

Tags: , , , ,

Firestorm Over Whether Bysiewicz Legally Qualified To Be Connecticut Attorney General

Posted on January 14, 2010 by N. Kane Bennett

As many of us know, the Connecticut Attorney General, Richard Blumenthal, is stepping down and running for Chris Dodd's U.S. Senate seat. Several candidates have stepped forward indicating that they are going to run for Attorney General.   The Connecticut Attorney General has a significant impact on businesses in this state.  For one thing, the Attorney General often brings lawsuits to protect businesses and consumers related to unfair trade practices.  For example, within the last few days,  Attorney General Blumenthal filed a lawsuit on behalf of over 400,000 Connecticut residents related to the Health Net data breach.  The old saying in legal circles is that the Attorney General runs the largest law firm in the state. 

Secretary of State Susan Bysiewicz is one of the candidates running for Attorney General.  Ryan McKeen, at A Connecticut Law Blog, has a very interesting post today about whether Susan Bysiewicz has the legal resume to meet the statutory qualifications to be elected Attorney General based on needing 10 years in "active" law practice.  The media has jumped on his blog post and there are several reports on it already in the news.     The Bysiewicz campaign has responded and claims that she is qualified despite only six years of practice in the state based on her years of "supervising" attorneys at the Secretary of State's office.   Now that the issue has been joined, everyone is waiting for Ryan to respond, including me. 

Tags: , , , ,