The Connecticut Insurance Commissioner issued Bulletin IC-25 earlier this month, officially instructing all Department of Insurance Regulated Entities to “notify the Department of any information security incident[s].” The use of data encryption won’t be grounds for granting safe harbor, a departure from the State’s own personal information breach disclosure laws.
The order to inform the Department extends to the breach of paper records as well–not just digital data found in computers, external drives, etc.–and entities will have give notification within five calendar days after the breach is found. Notification has to be in writing: first class mail, overnight delivery, and e-mail are given as options.
The bulletin is quick to point out that it knows that maintaining good information security is overwhelming for any business. In fact, it even “expects” it to be so, which means, I guess, the Department is aware that information security breaches are something it will have to live with (but, of course, continuously work to eliminate). The latest mandate is not meant as a punitive measure:
The Department’s concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information. The Department also wants to make sure that there is an opportunity for the Department to actively monitor the situation and guarantee those consumer protections throughout the process.
On the other hand, the Insurance Commissioner also notes:
Each incident will be evaluated on its own merits and depending on the circumstances, some situations may warrant imposition of administrative penalties by the Department. To minimize that potential, licenses and registrants are urged to follow these procedures.
I’m sure that penalties will be assessed in only the most egregious circumstances.
The bulletin itself is a short read, only 4 pages long, and also contains:
Definitions on what comprises an information security incident
What must be included in the content of the notification letter
Where the Department gains its authority to mandate notification
A list of Regulated Entities that needs to
In closing, I should point out that the now-mandatory notification under Bulletin IC-25 is to the Department only. As far as I can tell, it’s up to the breached companies to figure out whether their clients should be notified of the breach as well.
I guess that makes sense, and it also helps explains why the use of encryption software is not grounds for safe harbor, at least not for reporting to the Department itself.
If sensitive information is breached but clients are not at risk because encryption is used…well, the clients don’t really need to be alerted to the fact that “you’re still safe.” However, not being informed of a breach doesn’t really help the Department figure out the overall picture, and that’s what it really seems to want.
Update(14 SEP 2010): phiprivacy.net asked the Department whether there is a contradiction with the rules (all breaches of personal info must be reported vs. the clause “the loss of which could compromise or put at risk….”). The Department has answered that “all incidents have to be reported.” There are no exceptions where personal information is breached. Follow the above link for more.
Related Articles and Sites: