Sec. 38a-999b. Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.

(a) As used in this section:

(1) “Breach of security” has the same meaning as provided in section 36a-701b;

(2) “Company” means a health insurer, health care center or other entity licensed to do health insurance business in this state, pharmacy benefits manager, as defined in section 38a-479aaa, third-party administrator, as defined in section 38a-720, that administers health benefits, and utilization review company, as defined in section 38a-591a;

(3) “Encryption” means the rendering of electronic data into a form that is unreadable or unusable without the use of a confidential process or key; and

(4) “Personal information” means an individual's first name or first initial and last name in combination with any one or more of the following data: (A) A Social Security number; (B) a driver's license number or a state identification number; (C) protected health information as defined in 45 CFR 160.103, as amended from time to time; (D) a taxpayer identification number; (E) an alien registration number; (F) a government passport number; (G) a demand deposit account number; (H) a savings account number; (I) a credit card number; (J) a debit card number; or (K) unique biometric data such as a fingerprint, a voice print, a retina or an iris image, or other unique physical representations. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

(b) (1) Not later than October 1, 2017, each company shall implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company. Such security program shall be in writing and contain administrative, technical and physical safeguards that are appropriate to (A) the size, scope and type of business of such company, (B) the amount of resources available to such company, (C) the amount of data compiled or maintained by such company, and (D) the need for security and confidentiality of such data.

(2) Each company shall update such security program as often as necessary and practicable but at least annually and shall include in such security program:

(A) Secure computer and Internet user authentication protocols that include, but are not limited to, (i) control of user identifications and other identifiers, (ii) multifactor authentication that includes a reasonably secure method of assigning and selecting a password or the use of unique identifier technologies such as biometrics or security tokens, (iii) control of security passwords to ensure that such passwords are maintained in a location and format that do not compromise the security of personal information, (iv) restriction of access to only active users and active user accounts, and (v) the blocking of access after multiple unsuccessful attempts to gain access to data compiled or maintained by a company;

(B) Secure access control measures that include, but are not limited to, (i) restriction of access to personal information to only those individuals who require such data to perform their job duties, (ii) assignment, to each individual with computer and Internet access to data compiled or maintained by such company, of passwords that are not vendor-assigned default passwords and that require resetting not less than every six months and of unique user identifications, that are designed to maintain the integrity of the security of the access controls, (iii) encryption of all personal information while being transmitted on a public Internet network or wirelessly, (iv) encryption of all personal information stored on a laptop computer or other portable device, (v) monitoring of such company's security systems for breaches of security, (vi) for personal information that is stored or accessible on a system that is connected to the Internet, reasonably up-to-date software security protection that can support updates and patches, including, but not limited to, firewall protection, operating system security patches and malicious software protection, and (vii) employee education and training on the proper use of the company's security systems and the importance of the security of personal information;

(C) Designation of one or more employees to oversee such security program and the maintenance of such security program;

(D) (i) Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality or integrity of any electronic, paper or other records that contain personal information, (ii) evaluation and improvement where necessary of the effectiveness of the current safeguards for limiting such risks, including, but not limited to, (I) ongoing employee training, (II) employee compliance with security policies and procedures, and (III) means for detecting and preventing security system failures, and (iii) the upgrade of safeguards as necessary to limit risks;

(E) Development of employee security policies and procedures for the storage of, access to, transport of and transmittal of personal information off-premises;

(F) Imposition of disciplinary measures on employees for violating security policies or procedures or other provisions of the comprehensive information security program;

(G) Prevention of terminated, inactive or retired employees from accessing personal information;

(H) Oversight of third parties with which such company enters into contracts or agreements that have or will have access to personal information compiled or maintained by the company, by (i) selecting third parties that are capable of maintaining appropriate safeguards consistent with this subsection to protect such personal information, and (ii) requiring such third parties by contract or agreement to implement and maintain such safeguards;

(I) Reasonable restrictions on physical access to personal information in paper format and storage of such data in locked facilities, storage areas or containers;

(J) Review of the scope of the secure access control measures at least annually or whenever there is a material change in the company's business practices that may affect the security, confidentiality or integrity of personal information;

(K) Mandatory post-incident review by the company following any actual or suspected breach of security, and documentation of actions the company takes in response to such breach, including any changes the company makes to its business practices relating to the safeguarding of personal information; and

(L) Any other safeguards the company believes will enhance its comprehensive information security program.

(c) On or after October 1, 2017, each company shall certify annually to the Insurance Department, under penalty of perjury, that it maintains a comprehensive information security program that complies with the requirements of subsection (b) of this section.

(d) Upon request by the Insurance Commissioner or by the Attorney General, each company shall provide to the commissioner or the Attorney General a copy of its comprehensive information security program. If the commissioner or the Attorney General determines that such security program does not conform to the requirements set forth in subsection (b) of this section, the commissioner or the Attorney General shall notify the company of such determination and such company shall make changes as necessary to bring such security program into conformance to the commissioner's or the Attorney General's satisfaction.

(e) Each company that discovers an actual or suspected breach of security shall (1) comply with the notice requirements set forth in section 36a-701b, (2) be subject to the penalty set forth in subsection (g) of section 36a-701b for failure to comply, and (3) offer appropriate identity theft prevention services and, if applicable, identity theft mitigation services, as set forth in subparagraph (B) of subdivision (2) of subsection (b) of section 36a-701b.

(f) The Insurance Commissioner shall enforce the provisions of subsections (b) to (d), inclusive, of this section.