Skip to Content

Connecticut Insurance Department Publishes Bulletin on Cybersecurity

Thu 28 Sep, 2017  /  by McIntyre & Lemon  /   Insurance Regulation & Licensing

09/28/17 – The Connecticut Insurance Department published a bulletin that addresses a Connecticut law requiring health insurers, third party administrators (TPAs), and other entities to adopt a cybersecurity program.

Beginning October 1, 2017, Connecticut General Statutes, Section 38a-999b will require Connecticut entities engaged in health insurance, including insurers, TPAs, pharmacy benefit managers, and utilization review companies, to take a variety of steps to ensure that the personal information of insureds that it compiles remains safe.

The bulletin explains that the law specifies the requirements of an information security program and requires this program to be updated as necessary as practical. Entities must then certify their compliance with the law annually.

If an entity discovers a security breach, the law requires the entity to notify affected state residents of the breach and offer residents at least one year of free identity theft protection. Entities that do not comply with these requirements commit an unfair trade practice.

Connecticut Insurance Department Bulletin MC-23.