Public Act 05-148 became effective Jan. 1, 2006, and was codified as Sections 36a-701 and 701a of the Connecticut General Statutes. It allows a consumer to place a security freeze on his or her credit report. The law also requires businesses to inform affected consumers if there has been a security breach involving their computerized personal information. In August 2010, the Connecticut Insurance Department issued Bulletin IC-25 to supplement Public Act 05-148, to require businesses to notify the commissioner if there has been a security breach involving their computerized personal information. Security freezes A “security freeze” is a notice placed in a consumer’s credit report at the written request of the consumer that prohibits a credit-rating agency from releasing the consumer’s credit report or any information from it without the express authorization of the consumer.
A consumer who has placed a security freeze on his or her credit report can request that the freeze be removed or temporarily lifted (either for a particular party or for a period of time) by providing certain information to the credit-rating agency. Other noteworthy provisions include:
- a credit-rating agency must freeze the report within five business days of receipt of a written request. A credit-rating agency can charge a fee of no more than $10 for each security freeze or removal or temporary lift of a security freeze for a period of time and no more than $12 for a temporary lift for a particular party;
- a credit-rating agency must send the consumer a written confirmation including a unique personal identification number or password within 10 business days after freezing a report;
- a credit-rating agency may refuse to implement or may remove a security freeze under limited circumstances, including good-faith suspicion of fraud; and
- there are various exemptions to the prohibition against disclosure of a frozen credit report, including permissible disclosures to a person acting pursuant to a court order, warrant or subpoena.
Security breaches of computerized data Anyone who owns, maintains or licenses computerized data that includes personal information, must disclose a “breach of security” to residents whose personal information has been, or is reasonably believed to have been, accessed by an unauthorized person. The disclosure must be made without unreasonable delay, but is not required if the business can establish that the breach will not likely result in harm to the individuals whose information has been accessed.
Any person who maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any security breach immediately following its discovery.
The bill defines “breach of security” as the unauthorized access to, or acquisition of, electronic files, media, databases or computerized data that contains personal information when access to the information has not been secured by encryption or by any other method or technology that makes it unreadable or unusable.
What is “personal information”? “Personal information” means an individual’s first name or initial and last name in addition to one or more of the following facts:
- Social Security number;
- driver’s license number or state identification card number; or
- an account number, credit or debit-card number, in combination with its security code, access code or password that permits access to the individual’s financial account.
The bill excludes publicly available information that is lawfully made available to the public from federal, state or local government records or widely distributed media.
Notice The notice required by the new law can be provided by one of the following methods:
- written notice;
- telephone notice;
- electronic notice; or
- substitute notice (if a person can demonstrate the cost of using above methods would exceed $250,000, the class of people to be notified exceeds 500,000 or the person does not have sufficient contact information).
The notice required by this law can be delayed by a law-enforcement agency if such agency determines that the notification will impede a criminal investigation.
Bulletin IC-25 expands the notice provisions of the law by requiring that any information security incident which affects any Connecticut resident be reported in writing to the commissioner as soon as the incident is identified, but not later than five calendar days after the incident is identified. Notification should include as much of the following as is know:
- date of the incident;
- description of the incident (how information was lost, stolen or breached);
- how discovered;
- has lost, stolen or breached information been recovered and, if so, how;
- have individuals involved in the incident (both internal and external) been identified;
- has a police report be filed;
- type of information lost, stolen or breached (equipment, paper, electronics, claims, applications, underwriting forms, medical records, etc.);
- was information encrypted;
- lost, stolen or breached information covers what period of time;
- how many Connecticut residents affected;
- results of any internal review identifying either a lapse in internal procedures or confirmation that all procedures were followed;
- identification of remedial efforts being undertaken to cure the situation which permitted the information security incident to occur;
- copies of the licensee/registrants privacy policies and data-breach policy;
- regulated entity contact person for the department to contact regarding the incident. (This should be someone who is both familiar with the details and able to authorize actions for the licensee or registrant.); and
- other regulatory or law-enforcement agencies notified (who, when).
The department will want to review, in draft form, any communications proposed to be made to affected insureds, members, subscribers, policyholders or providers advising them of the incident. Depending on the type of incident and information involved, the department also will want to have discussions regarding the level of credit monitoring and insurance protection which the department will require to be offered to affected consumers and for what period of time.
If you would like information on insurance products that can protect your business in the event of a security breach, please call Tim Russell at 203-255-2877.