PA 15-142—sSB 949

Government Administration and Elections Committee

Insurance and Real Estate Committee

Judiciary Committee

AN ACT IMPROVING DATA SECURITY AND AGENCY EFFECTIVENESS

SUMMARY: This act establishes protocols to protect confidential information (CI) that an entity obtains from a state contracting agency under a written agreement to provide goods or services to the state. Under the act, if an agreement requires a state contracting agency to share CI with a contractor, the contractor must, at its own expense, take certain steps to prevent data breaches. Among other things, contractors must:

1. implement and maintain a comprehensive data security program to protect CI;

2. limit CI access to authorized employees and agents for authorized purposes under confidential agreements;

3. use certain technology, such as firewalls and intrusion detection software, to maintain all data obtained from state contracting agencies; and

4. report actual or suspected data breaches to the attorney general and state contracting agency.

The act also amends existing law's security breach notification requirements applicable to any person who conducts business in Connecticut. It generally requires the person to (1) notify impacted state residents of a breach within 90 days after discovering it and (2) offer at least one year of free identity theft prevention and mitigation services.

The act requires each health insurer, HMO, and related entity, by October 1, 2017, to implement and maintain a comprehensive information security program to safeguard the personal information these entities compile or maintain on insureds and enrollees. It specifies program requirements, requires that the program be updated at least annually, and requires the entities to offer at least one year of free identity theft prevention and mitigation services if a breach occurs.

The act requires the Office of Policy and Management (OPM) secretary to (1) develop a program to access, link, analyze, and share data maintained by executive agencies and (2) respond to queries from state agencies and private requestors. It requires the OPM secretary to:

1. establish policies and procedures to review and respond to queries while protecting confidential data,

2. develop and implement a secure information technology solution to link data across executive agencies, and

3. execute an agreement with each agency on data-sharing.

The act also prohibits anyone, from July 1, 2016 to July 1, 2017, from offering a new smartphone model for retail sale in Connecticut unless the smartphone has certain features to prevent unauthorized use. Lastly, it makes technical changes.

EFFECTIVE DATE: July 1, 2015, except that (1) certain technical changes are effective upon passage; (2) the provisions concerning (a) existing law's notification requirements and (b) the security program for health insurers, HMOs, and other entities are effective October 1, 2015; and (3) the smartphone provisions are effective July 1, 2016.

1 & 2 — STATE CONTRACTOR REQUIREMENTS

Confidential Information

With respect to information possessed by a state contractor, the act defines “confidential information” as:

1. a person's name, date of birth, or mother's maiden name;

2. any of the following numbers: motor vehicle operator's license, Social Security, employee identification, employer or taxpayer identification, alien registration, passport, health insurance identification, demand deposit or savings account, or credit or debit card;

3. unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation;

4. “personally identifiable information” and “protected health information,” as defined in federal education and patient data regulations, respectively; or

5. any information that a state contracting agency tells the contractor is confidential.

CI does not include information that may be lawfully obtained from public sources or from federal, state, or local government records lawfully made available to the general public.

Contractor Security Protocols

Except in cases where the OPM secretary allows for alternate security assurance measures (see Additional Protections and Exceptions, below), every written agreement that authorizes a state contracting agency to share CI with a contractor must require the contractor to do at least the following:

1. at its own expense, protect from a CI breach all CI it has or controls, wherever and however stored or maintained;

2. implement and maintain a comprehensive data security program to protect CI (see below);

3. limit CI access to the contractor's authorized employees and agents for authorized purposes as necessary to complete contracted services or provide contracted goods;

4. maintain all CI obtained from state contracting agencies (a) in a secure server, (b) on secure drives, (c) behind firewall protections and monitored by intrusion detection software, (d) in a manner where access is restricted to authorized employees and agents, and (e) as otherwise required under state and federal law; and

5. implement, maintain, and update security and breach investigation procedures that are (a) appropriate given the nature of the information disclosed and (b) reasonably designed to protect CI from unauthorized access, use, modification, disclosure, manipulation, or destruction.

Under the act, a state contracting agency is a state agency, led by a department head (e. g. , the Department of Administrative Services), that discloses CI to a contractor pursuant to a written agreement to provide goods or services for the state.

Data Security Program. The safeguards in the contractor's required data security program must be consistent with and comply with the safeguards for protecting CI, as set forth in all applicable federal and state laws and the written policies of the state in the agreement. The program must at least include:

1. a security policy for employees on storing, accessing, and transporting data with CI;

2. reasonable restrictions on accessing records with CI, including the area where the records are kept, and secure passwords for electronically stored records;

3. a process for reviewing policies and security measures at least annually; and

4. a mandatory, active, and ongoing employee security awareness program for all employees with access to CI provided by the state contracting agency.

At a minimum, the security awareness program must advise the employees of the information's confidentiality, safeguards required to protect the information, and any applicable state and federal civil and criminal penalties for noncompliance.

Data Storage. The act prohibits contractors, unless specified in the agreement, from:

1. storing CI on stand-alone computer or notebook hard disks or portable storage devices such as external or removable hard drives, flash cards, flash drives, compact disks, or digital video disks or

2. copying, reproducing, or transmitting CI except as necessary to complete contracted services or provide contracted goods.

All copies of CI data, including modifications or additions to the data, are subject to the provisions governing the original data.

CI Breaches

With respect to state contractors, the act defines “confidential information breach” as any instance where an unauthorized person or entity accesses CI that is subject to or otherwise used in conjunction with any part of a written agreement with a state contracting agency. This includes instances in which:

1. CI not encrypted or secured by any other method or technology that makes the personal information unreadable or unusable is misplaced, lost, stolen, or subject to unauthorized access;

2. a third party, without prior written state authorization, accesses or takes control or possession of (a) unencrypted or unprotected CI or (b) encrypted or protected CI and the confidential process or key capable of compromising its integrity; or

3. there is a substantial risk of identity theft or fraud of the client of the state contracting agency, contractor, state contracting agency, or state.

Notification of Data Breaches. Under the act, the agreement between the agency and contractor must require the contractor to take certain actions in the case of an actual or suspected CI breach. The contractor must:

1. notify the contracting agency and attorney general, as soon as practical, after becoming aware or having reason to believe that a breach occurred;

2. immediately stop using the data provided by the contracting agency or developed internally by the contractor pursuant to a written agreement with the state, if the contracting agency directs the contractor to do so; and

3. submit to the attorney general's office and the contracting agency, following a timetable established in the contractor's agreement with the agency, a report either (a) detailing the breach and providing a plan to mitigate its effects with the steps taken to prevent future breaches or (b) explaining why, upon further investigation, the contractor believes no breach occurred.

The act specifies that the report is not subject to disclosure under the Freedom of Information Act (FOIA). The agreement between the contractor and agency must also specify how the cost of any notification about, or investigation into, a CI breach is to be apportioned when the agency or contractor is the subject of a breach.

The act allows the notice to the contracting agency and attorney general to be delayed if a law enforcement or intelligence agency informs the contractor that the notification would impede a criminal investigation or jeopardize homeland or national security. If the notice is delayed, the contractor must provide it to the contracting agency as soon as reasonably feasible.

The act also allows the notice to be delayed at the contracting agency's sole discretion based on the report and, if applicable, plan provided. However, since the notice appears to precede the report and the plan, it is unclear how it could be delayed based on the report and plan.

Under the act, the attorney general may investigate and bring a civil action in Hartford Superior Court against contractors who violate its provisions. The act does not create a private right of action.

The act's requirements for data security are in addition to others in existing law (see 6 – GENERAL REQUIREMENTS FOR SECURITY BREACH NOTIFICATIONS, below). The act's provisions with regard to contractors must not be construed to supersede a contractor's obligations under the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), or any other applicable federal or state law (see BACKGROUND).

Breaches of Education Records. If CI has education records with personally identifiable information, as defined under federal regulations, the contractor may be subject to a five-year ban on receiving access to such information, imposed by the State Department of Education. The information in this case is:

1. the name or address of a student, his or her parents, or other family members;

2. a personal identifier (e. g. , a student's Social Security number);

3. other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community to identify the student with reasonable certainty; or

4. information requested by anyone who the educational agency or institution reasonably believes knows the identity of the student to whom the record relates (34 CFR 99. 3).

Additional Protections and Exceptions

Under the act, the OPM secretary, or his designee, may require additional protections or alternate security assurance measures for CI if the facts and circumstances warrant them after considering, among other factors, the:

1. type and amount of CI being shared,

2. purpose for which the CI is being shared, and

3. types of goods or services covered by the contract.

6 — GENERAL REQUIREMENTS FOR SECURITY BREACH NOTIFICATIONS

The act amends the security breach notification requirements applicable to any person who conducts business in Connecticut.

Existing law generally requires anyone who conducts business in the state and who, in the ordinary course of business, owns, licenses, or maintains computerized data that includes personal information to disclose a security breach without unreasonable delay to state residents whose personal information has been, or is reasonably believed to have been, accessed by an unauthorized person. It also requires the person to notify the attorney general of the security breach not later than when the affected residents are notified. Failing to notify the residents or attorney general constitutes an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA) (see BACKGROUND).

The act specifies that these notices must be given within 90 days after the discovery of a breach, unless federal law requires a shorter time. By law, notice is required for a breach that compromises a person's (1) first name or initial and last name in combination with a Social Security number; (2) driver's license or state identification card number; or (3) account, credit, or debit card number and any required security code or password.

Additionally, the act requires that the notice include an offer of at least one year of free identity theft prevention and monitoring services. The notice must tell a person how to (1) enroll in the services and (2) place a freeze on his or her credit file. The act makes failing to offer these services a CUTPA violation.

5 — COMPREHENSIVE INFORMATION SECURITY PROGRAM

The act requires each health insurer, HMO, and related entity (“company”), by October 1, 2017, to implement and maintain a comprehensive information security program to safeguard the personal information it compiles or maintains on insureds and enrollees. The act specifies program requirements and requires the program to be updated as necessary and practicable, but at least annually.

Beginning October 1, 2017, each company must annually certify to the Insurance Department, under penalty of perjury, that it maintains a program in compliance with the act. The insurance commissioner or attorney general may request a copy of a company's program to determine compliance. If either one determines that the program is noncompliant, the company must amend it to bring it into compliance to the commissioner's or attorney general's satisfaction.

The act requires each company that discovers an actual or suspected security breach to (1) notify each impacted state resident without unreasonable delay, but at least within 90 days after discovering the breach, unless federal law requires a shorter time; (2) offer impacted residents at least one year of free identity theft prevention and mitigation services; and (3) inform the residents on how to enroll in the services and place a freeze on their credit files. A company that fails to comply with these requirements commits an unfair trade practice.

The act requires the insurance commissioner to enforce the act's provisions regarding a company's comprehensive information security program.

Affected Companies

The program requirements apply to each (1) health insurer, HMO, and other entity licensed to write health insurance in Connecticut; (2) pharmacy benefits manager; (3) third-party administrator that administers health benefits; and (4) utilization review company.

Personal Information

The act defines “personal information” (for purposes of a company's security program) as a person's first name or initial and last name used with any one or more of the following: (1) Social Security number; (2) driver's license or state identification number; (3) protected health information, as defined by HIPAA; (4) taxpayer identification number; (5) alien registration number; (6) passport number; (7) demand deposit account number; (8) savings account number; (9) credit or debit card number; or (10) unique biometric data (e. g. , fingerprint, voice print, or retina or iris image). Personal information does not include publicly available information lawfully available in government records or widely distributed media.

Breach of Security

Under the act, “breach of security” (for purposes of a company's security program) means unauthorized access to or acquisition of electronic files, media, databases, or computerized data containing personal information when access has not been secured by encryption or other technology that renders the information unreadable or unusable.

Program Requirements

By October 1, 2017, the act requires that each company's comprehensive information security program be in writing and include administrative, technical, and physical safeguards appropriate to the (1) size, scope, and type of its business; (2) amount of resources available to the company; (3) amount of data the company compiles or maintains; and (4) need for data security and confidentiality.

Authentication Protocols. Each program must include secure computer and Internet user authentication protocols, including:

1. control of user identifications and other identifiers;

2. multifactor authentication that includes (a) a reasonably secure method of assigning and selecting a password or (b) unique identifier technology, (e. g. , biometrics or security tokens);

3. control of security passwords to ensure that they are maintained in a way that does not compromise personal information;

4. restricting access to active users and active user accounts only; and

5. blocking access after multiple unsuccessful attempts to gain access to information.

Access Control Measures. The act requires that each program include secure access control measures, including:

1. restricting access to personal information to only those individuals who need it to perform their jobs;

2. assigning, to each person with computer and Internet access to the company's data, (a) passwords that are not vendor-assigned defaults and that must be reset at least every six months and (b) unique user identifications that are designed to maintain the security of the access controls;

3. encrypting all personal information when (a) transmitted on a public Internet network or wirelessly or (b) stored on a laptop computer or other portable device;

4. security breach monitoring;

5. maintaining, for personal information on a system connected to the Internet, reasonably up-to-date software security protection that can support updates and patches (e. g. , firewalls and malware protection); and

6. educating and training employees on properly using the company's security systems and the importance of securing personal information.

Each company must review the scope of these measures at least annually or whenever there is a material change in the company's business practices that may affect the security, confidentiality, or integrity of personal information.

Other Requirements. Additionally, the act requires that each program:

1. designate one or more employees to oversee the program and its maintenance;

2. (a) identify and assess reasonably foreseeable risks to the security, confidentiality, or integrity of any records with personal information; (b) evaluate and improve, as necessary, the effectiveness of the current safeguards to limit those risks (e. g. , employee training); and (c) upgrade safeguards as necessary to limit risks;

3. develop employee security policies and procedures for storing, accessing, transporting, and transmitting personal information off-premises;

4. discipline employees who violate the security program;

5. prevent terminated, inactive, or retired employees from accessing personal information;

6. oversee contracted third parties that have access to personal information by selecting those capable of maintaining appropriate safeguards and requiring them to implement and maintain safeguards that are consistent with the act;

7. include reasonable restrictions on physical access to personal information in paper format (e. g. , storing data in locked facilities);

8. (a) include mandatory post-incident review by the company following a suspected or actual security breach and (b) document the company's response actions; and

9. include any other safeguards the company believes will enhance its program.

4 — OPM DATA ACCESS PROGRAM

The act requires the OPM secretary to (1) develop a program to access, link, analyze, and share data maintained by executive agencies and (2) respond to queries from state agencies, private entities, or others that would otherwise require access to data maintained by two or more executive agencies. The secretary must prioritize queries that seek to measure outcomes for state-funded programs or that may facilitate the development of policies to promote the effective, efficient, and best use of state resources. He must notify the applicable executive agency when data within the agency's custody is requested.

With respect to the data access program, (1) an “executive agency” is any agency with a department head, a constituent unit of higher education, or the Office of Higher Education and (2) “state agency” is any office; department; board; council; commission; institution; constituent unit of the state system of higher education; technical high school; or other executive, legislative, or judicial branch agency.

“Data” means statistical or factual information that (1) is in a list, table, graph, chart, or other nonnarrative form that can be digitally transmitted or processed; (2) is regularly created and maintained by or on behalf of an executive agency; and (3) records a measurement, transaction, or determination related to the mission of the executive agency or provided to it by a third party as required by law. Data does not include tax returns or return information, as defined in state law.

Required Program Elements

The act requires the OPM secretary to establish policies and procedures to:

1. review and respond to queries to ensure that (a) a response is permitted under state and federal law, (b) protected data's privacy and confidentiality can be assured, and (c) the query is based on sound research design principles and

2. protect and ensure the security, privacy, confidentiality, and administrative value of data collected and maintained by executive agencies.

The secretary must request from, and execute a memorandum of agreement with, each executive agency detailing data-sharing between the agency and OPM. The agreement must (1) authorize OPM to act on behalf of the executive agency for purposes of data access, matching, and sharing and (2) include provisions to ensure the proper use, security, and confidentiality of the shared data. Any executive agency asked to execute an agreement must comply.

The act also requires the OPM secretary, in consultation with the state's chief information officer, to develop and implement a (1) secure information technology solution to link data across executive agencies and (2) detailed data security and safeguarding plan for the data accessed or shared through the solution.

The act specifies that, for the purposes of FOIA, OPM is not considered the agency with custody or control of public records or files made accessible to the office under the data access program. Presumably, this means that if another agency provides records to OPM under the program, OPM would not be required to disclose those records in response to a FOIA request. OPM must, however, be considered the agency with custody and control of public records or files it creates, including reports it generates to respond to data queries (i. e. , OPM must disclose those records under FOIA unless they are otherwise exempt).

Labor Department Records

Under the act, the OPM secretary is an authorized representative of the labor commissioner or unemployment compensation administrator and must receive, on request, any information the commissioner has relating to employment records that may include (1) an employee's name, Social Security number, and current residential address; (2) employer's name, address, and North American Industry Classification System code; and (3) wages. The act requires the Labor Department, upon the secretary's request, to furnish unemployment compensation wage records contained in the quarterly returns required and maintained by the labor commissioner. (The act has an incorrect statutory reference for these returns. )

7 — SMARTPHONES

The act prohibits anyone, from July 1, 2016 to July 1, 2017, from offering a new smartphone model for retail sale in Connecticut unless the smartphone has certain features to prevent unauthorized use. These features are specific software or hardware, a combination of both, or software that is downloadable upon initial activation upon purchase. Once initiated and successfully communicated by an authorized user, this software or hardware must make the smartphone's essential features inoperable to an unauthorized user.

Under the act, a “smartphone” is a hand-held cellular mobile telephone or other mobile voice communications handset device with certain mandatory features. The features must include:

1. a mobile operating system;

2. wireless network connectivity; and

3. the capability to (a) use mobile software applications, (b) access and browse the Internet, (c) use text messaging and digital voice service, (d) send and receive e-mail, and (e) operate on a long-term evolution network or on any successor wireless data network communication standard.

A smartphone does not include a (1) telephone commonly referred to as a “feature” or “messaging” telephone, (2) laptop computer, (3) tablet device, or (4) device with only electronic reading capability.

BACKGROUND

HIPAA and FERPA

The HIPAA “privacy rule” sets national standards to protect the privacy of health information. It protects individually identifiable health information by defining and limiting the circumstances under which covered entities may use or disclose such information.

Except under specified and limited circumstances, FERPA requires schools to obtain written permission from a parent or guardian before disclosing educational records to a third party.

CUTPA

CUTPA prohibits businesses from engaging in unfair and deceptive acts or practices. It allows the consumer protection commissioner to issue regulations defining what constitutes an unfair trade practice, investigate complaints, issue cease and desist orders, order restitution in cases involving less than $5,000, enter into consent agreements, ask the attorney general to seek injunctive relief, and accept voluntary statements of compliance. It also allows individuals to sue. Courts may issue restraining orders; award actual and punitive damages, costs, and reasonable attorney's fees; and impose civil penalties of up to $5,000 for willful violations and $25,000 for violation of a restraining order (CGS 42-110a et seq. ).

OLR Tracking: TA: LH: SD: cmg