CHAPTER 697

GENERAL PROVISIONS

Table of Contents

Sec. 38a-8. (Formerly Sec. 38-4). Duties of commissioner. Regulations. Sharing and maintenance of confidential information. Use of outside professionals. Program re electronic rate and form filings.

Sec. 38a-37. Interstate Insurance Product Regulation Compact.

Sec. 38a-38. (Note: This section is effective October 1, 2020.) Insurance Data Security Law. Regulations.


PART II

INSURANCE COMMISSIONER. POWERS AND DUTIES

Sec. 38a-8. (Formerly Sec. 38-4). Duties of commissioner. Regulations. Sharing and maintenance of confidential information. Use of outside professionals. Program re electronic rate and form filings. (a) The commissioner shall see that all laws respecting insurance companies and health care centers are faithfully executed and shall administer and enforce the provisions of this title. The commissioner shall have all powers specifically granted, and all further powers that are reasonable and necessary to enable the commissioner to protect the public interest in accordance with the duties imposed by this title. The commissioner shall pay to the Treasurer all the fees that the commissioner receives. The commissioner may administer oaths in the discharge of the commissioner's duties.

(b) The commissioner shall recommend to the General Assembly changes that, in the commissioner's opinion, should be made in the laws relating to insurance.

(c) In addition to the specific regulations that the commissioner is required to adopt, the commissioner may adopt such further regulations, in accordance with the provisions of chapter 54, as are reasonable and necessary to implement the provisions of this title.

(d) The commissioner shall develop a program of periodic review to ensure compliance by the Insurance Department with the minimum standards established by the National Association of Insurance Commissioners for effective financial surveillance and regulation of insurance companies operating in this state. The commissioner shall adopt regulations, in accordance with the provisions of chapter 54, pertaining to the financial surveillance and solvency regulation of insurance companies and health care centers as are reasonable and necessary to obtain or maintain the accreditation of the Insurance Department by the National Association of Insurance Commissioners. The commissioner shall maintain as confidential any confidential documents or information received from the National Association of Insurance Commissioners, or the International Association of Insurance Supervisors, or any documents or information received from state or federal insurance, banking or securities regulators or similar regulators in a foreign country that are confidential in such jurisdictions. The commissioner may share any information, including confidential information, with the National Association of Insurance Commissioners, the International Association of Insurance Supervisors, or state or federal insurance, banking or securities regulators or similar regulators in a foreign country, provided the commissioner determines that such entities agree to maintain the same level of confidentiality in their jurisdictions as is available in this state. At the expense of a domestic, alien or foreign insurer, the commissioner may engage the services of attorneys, actuaries, accountants and other experts not otherwise part of the commissioner's staff as may be necessary to assist the commissioner in the financial analysis of the insurer, the review of the insurer's license applications, and the review of transactions within a holding company system involving an insurer domiciled in this state. No duties of a person employed by the Insurance Department on November 1, 2002, shall be performed by such attorney, actuary, accountant or expert.

(e) The commissioner shall establish a program to reduce costs and increase efficiency through the use of electronic methods to transmit documents, including policy form and rate filings, to and from insurers and the Insurance Department. The commissioner may sit as a member of the board of a consortium organized by or in association with the National Association of Insurance Commissioners for the purpose of coordinating a system for electronic rate and form filing among state insurance departments and insurers.

(f) The commissioner shall maintain as confidential information obtained, collected or prepared in connection with examinations, inspections or investigations, and complaints from the public received by the Insurance Department, if such records are protected from disclosure under federal law or state statute or, in the opinion of the commissioner, such records would disclose, or would reasonably lead to the disclosure of: (1) Investigative information the disclosure of which would be prejudicial to such investigation, until such time as the investigation is concluded; or (2) personal, financial or medical information concerning a person who has filed a complaint or inquiry with the Insurance Department, without the written consent of the person or persons to whom the information pertains.

(g) The commissioner may, in the commissioner's discretion, engage the services of such third-party actuaries, professionals and specialists that the commissioner deems necessary to assist the commissioner in reviewing any rate, form or similar filing submitted to the commissioner pursuant to this title. The cost of such services shall be borne by the person who submitted such rate, form or similar filing to the commissioner.

(1949 Rev., S. 6029; 1959, P.A. 78, S. 1; P.A. 90-243, S. 2; P.A. 92-112, S. 1; P.A. 95-168, S. 1; P.A. 98-57, S. 1; 98-85; P.A. 99-9, S. 1, 6; P.A. 03-121, S. 1; 03-127, S. 1; P.A. 05-275, S. 13; P.A. 13-134, S. 1; P.A. 19-125, S. 1.)

History: 1959 act deleted requirement that the commissioner supply insurance companies with the forms required by law; P.A. 90-243 expanded the insurance commissioner's statutory powers, duties and obligations and divided section into Subsecs.; Sec. 38-4 transferred to Sec. 38a-8 in 1991; P.A. 92-112 added a new Subsec. (d) allowing the commissioner to develop a program of periodic review to ensure financial integrity as a minimum standard as required by the National Association of Insurance Commissioners; P.A. 95-168 amended Subsec. (d) to add provisions re confidentiality of documents received by Insurance Commissioner; P.A. 98-57 amended Subsec. (d) to require the commissioner to maintain as confidential information received from the International Association of Insurance Supervisors, or from state or federal insurance, banking or securities regulators or similar regulators in a foreign country, and authorized the commissioner to share confidential information with those officials; P.A. 98-85 added new Subsec. (e) to require the commissioner to establish a program to use electronic methods to transmit documents to and from insurers, and authorized the commissioner to sit on a consortium re electronic rate and form filing among state insurance departments and insurers; P.A. 99-9 amended Subsecs. (a) and (d) to reference “health care centers”, effective May 12, 1999; P.A. 03-121 added Subsec. (f) re confidentiality of information re inspections or investigations and complaints; P.A. 03-127 amended Subsec. (d) by adding provisions re commissioner's power to engage the services of experts not otherwise part of commissioner's staff; P.A. 05-275 added new Subsec. (g) re development of a plan to maintain a viable medical malpractice insurance industry in state, effective July 13, 2005; P.A. 13-134 made technical changes in Subsecs. (a) to (d) and (f), and deleted former Subsec. (g) re development of a medical malpractice insurance industry plan; P.A. 19-125 added Subsec. (g) re engagement of services of third-party actuaries, professionals and specialists and made a technical change in Subsec. (e), effective July 1, 2019.

PART V

INTERSTATE INSURANCE PRODUCT REGULATION
COMPACT

Sec. 38a-37. Interstate Insurance Product Regulation Compact. Pursuant to terms and conditions of this compact, the state of Connecticut seeks to join with other states and establish the Interstate Insurance Product Regulation Compact, and thus become a member of the Interstate Insurance Product Regulation Commission. The Insurance Commissioner is hereby designated to serve as the representative of this state to the commission.

ARTICLE I

PURPOSES

The purposes of this compact are, through means of joint and cooperative action among the compacting states:

1. To promote and protect the interest of consumers of individual and group annuity, life insurance, disability income and long-term care insurance products;

2. To develop uniform standards for insurance products covered under the compact;

3. To establish a central clearinghouse to receive and provide prompt review of insurance products covered under the compact and, in certain cases, advertisements related thereto, submitted by insurers authorized to do business in one or more compacting states;

4. To give appropriate regulatory approval to those product filings and advertisements satisfying the applicable uniform standard;

5. To improve coordination of regulatory resources and expertise between state insurance departments regarding the setting of uniform standards and review of insurance products covered under the compact;

6. To create the Interstate Insurance Product Regulation Commission; and

7. To perform these and such other related functions as may be consistent with the state regulation of the business of insurance.

ARTICLE II

DEFINITIONS

For purposes of this compact:

1. “Advertisement” means any material designed to create public interest in a product, or induce the public to purchase, increase, modify, reinstate, borrow on, surrender, replace or retain a policy, as more specifically defined in the rules and operating procedures of the commission.

2. “Bylaws” mean those bylaws established by the commission for its governance, or for directing or controlling the commission's actions or conduct.

3. “Compacting state” means any state which has enacted this compact legislation and which has not withdrawn pursuant to Article XIV, section 1 of this compact, or been terminated pursuant to Article XIV, section 2 of this compact.

4. “Commission” means the Interstate Insurance Product Regulation Commission established by this compact.

5. “Commissioner” means the chief insurance regulatory official of a state including, but not limited to, commissioner, superintendent, director or administrator.

6. “Domiciliary state” means the state in which an insurer is incorporated or organized; or, in the case of an alien insurer, its state of entry.

7. “Insurer” means any entity licensed by a state to issue contracts of insurance for any of the lines of insurance covered by this compact.

8. “Member” means the person chosen by a compacting state as its representative to the commission, or the member's designee.

9. “Non-compacting state” means any state which is not at the time a compacting state.

10. “Operating procedures” mean procedures promulgated by the commission implementing a rule, uniform standard or a provision of this compact.

11. “Product” means the form of a policy or contract, including any application, endorsement, or related form which is attached to and made a part of the policy or contract, and any evidence of coverage or certificate, for an individual or group annuity, life insurance, disability income or long-term care insurance product that an insurer is authorized to issue.

12. “Rule” means a statement of general or particular applicability and future effect promulgated by the commission, including a uniform standard developed pursuant to Article VII of this compact, designed to implement, interpret, or prescribe law or policy or describing the organization, procedure, or practice requirements of the commission, which shall have the force and effect of law in the compacting states.

13. “State” means any state, district or territory of the United States of America.

14. “Third-party filer” means an entity that submits a product filing to the commission on behalf of an Insurer.

15. “Uniform standard” means a standard adopted by the commission for a product line, pursuant to Article VII of this compact, and shall include all of the product requirements in aggregate; provided, that each uniform standard shall be construed, whether express or implied, to prohibit the use of any inconsistent, misleading or ambiguous provisions in a product and the form of the product made available to the public shall not be unfair, inequitable or against public policy as determined by the commission.

ARTICLE III

ESTABLISHMENT OF THE COMMISSION AND VENUE

1. The compacting states hereby create and establish a joint public agency known as the Interstate Insurance Product Regulation Commission. Pursuant to Article IV of this compact, the commission will have the power to develop uniform standards for product lines, receive and provide prompt review of products filed therewith, and give approval to those product filings satisfying applicable uniform standards; provided, it is not intended for the commission to be the exclusive entity for receipt and review of insurance product filings. Nothing herein shall prohibit any insurer from filing its product in any state wherein the insurer is licensed to conduct the business of insurance; and any such filing shall be subject to the laws of the state where filed.

2. The Interstate Insurance Product Regulation Commission is a body corporate and politic, and an instrumentality of the compacting states.

3. The commission is solely responsible for its liabilities except as otherwise specifically provided in this compact.

4. Venue is proper and judicial proceedings by or against the commission shall be brought solely and exclusively in a court of competent jurisdiction where the principal office of the commission is located.

ARTICLE IV

POWERS OF THE COMMISSION

The commission shall have the following powers:

1. To promulgate rules, pursuant to Article VII of this compact, which shall have the force and effect of law and shall be binding in the compacting states to the extent and in the manner provided in this compact;

2. To exercise its rulemaking authority and establish reasonable uniform standards for products covered under the compact, and advertisement related thereto, which shall have the force and effect of law and shall be binding in the compacting states, but only for those products filed with the commission, provided, that a compacting state shall have the right to opt out of such uniform standard pursuant to Article VII of this compact, to the extent and in the manner provided in this compact, and, provided further, that any uniform standard established by the commission for long-term care insurance products may provide the same or greater protections for consumers as, but shall not provide less than, those protections set forth in the National Association of Insurance Commissioners' Long-Term Care Insurance Model Act and Long-Term Care Insurance Model Regulation, respectively, adopted as of 2001. The commission shall consider whether any subsequent amendments to the National Association of Insurance Commissioners' Long-Term Care Insurance Model Act or Long-Term Care Insurance Model Regulation adopted by the National Association of Insurance Commissioners require amending of the uniform standards established by the commission for long-term care insurance products;

3. To receive and review in an expeditious manner products filed with the commission, and rate filings for disability income and long-term care insurance products, and give approval of those products and rate filings that satisfy the applicable uniform standard, where such approval shall have the force and effect of law and be binding on the compacting states to the extent and in the manner provided in the compact;

4. To receive and review in an expeditious manner advertisement relating to long-term care insurance products for which uniform standards have been adopted by the commission, and give approval to all advertisement that satisfies the applicable uniform standard. For any product covered under this compact, other than long-term care insurance products, the commission shall have the authority to require an insurer to submit all or any part of its advertisement with respect to that product for review or approval prior to use, if the commission determines that the nature of the product is such that an advertisement of the product could have the capacity or tendency to mislead the public. The actions of the commission as provided in this section shall have the force and effect of law and shall be binding in the compacting states to the extent and in the manner provided in the compact;

5. To exercise its rulemaking authority and designate products and advertisement that may be subject to a self-certification process without the need for prior approval by the commission;

6. To promulgate operating procedures, pursuant to Article VII of this compact, which shall be binding in the compacting states to the extent and in the manner provided in this compact;

7. To bring and prosecute legal proceedings or actions in its name as the commission; provided, that the standing of any state insurance department to sue or be sued under applicable law shall not be affected;

8. To issue subpoenas requiring the attendance and testimony of witnesses and the production of evidence;

9. To establish and maintain offices;

10. To purchase and maintain insurance and bonds;

11. To borrow, accept or contract for services of personnel, including, but not limited to, employees of a compacting state;

12. To hire employees, professionals or specialists, and elect or appoint officers, and to fix their compensation, define their duties and give them appropriate authority to carry out the purposes of the compact, and determine their qualifications; and to establish the commission's personnel policies and programs relating to, among other things, conflicts of interest, rates of compensation and qualifications of personnel;

13. To accept any and all appropriate donations and grants of money, equipment, supplies, materials and services, and to receive, utilize and dispose of the same; provided that at all times the commission shall strive to avoid any appearance of impropriety;

14. To lease, purchase, accept appropriate gifts or donations of, or otherwise to own, hold, improve or use, any property, real, personal or mixed; provided that at all times the commission shall strive to avoid any appearance of impropriety;

15. To sell, convey, mortgage, pledge, lease, exchange, abandon or otherwise dispose of any property, real, personal or mixed;

16. To remit filing fees to compacting states as may be set forth in the bylaws, rules or operating procedures;

17. To enforce compliance by compacting states with rules, uniform standards, operating procedures and bylaws;

18. To provide for dispute resolution among compacting states;

19. To advise compacting states on issues relating to insurers domiciled or doing business in non-compacting jurisdictions, consistent with the purposes of this compact;

20. To provide advice and training to those personnel in state insurance departments responsible for product review, and to be a resource for state insurance departments;

21. To establish a budget and make expenditures;

22. To borrow money;

23. To appoint committees, including advisory committees comprising members, state insurance regulators, state legislators or their representatives, insurance industry and consumer representatives, and such other interested persons as may be designated in the bylaws;

24. To provide and receive information from, and to cooperate with law enforcement agencies;

25. To adopt and use a corporate seal; and

26. To perform such other functions as may be necessary or appropriate to achieve the purposes of this compact consistent with the state regulation of the business of insurance.

ARTICLE V

ORGANIZATION OF THE COMMISSION

Section 1. Membership, Voting and Bylaws

a. Each compacting state shall have and be limited to one member. Each member shall be qualified to serve in that capacity pursuant to applicable law of the compacting state. Any member may be removed or suspended from office as provided by the law of the state from which he or she shall be appointed. Any vacancy occurring in the commission shall be filled in accordance with the laws of the compacting state wherein the vacancy exists. Nothing herein shall be construed to affect the manner in which a compacting state determines the election or appointment and qualification of its own commissioner.

b. Each member shall be entitled to one vote and shall have an opportunity to participate in the governance of the commission in accordance with the bylaws. Notwithstanding any provision herein to the contrary, no action of the commission with respect to the promulgation of a uniform standard shall be effective unless two-thirds of the members vote in favor thereof.

c. The commission shall, by a majority of the members, prescribe bylaws to govern its conduct as may be necessary or appropriate to carry out the purposes, and exercise the powers, of the compact, including, but not limited to:

(i) Establishing the fiscal year of the commission;

(ii) Providing reasonable procedures for appointing and electing members, as well as holding meetings, of the management committee;

(iii) Providing reasonable standards and procedures: (I) For the establishment and meetings of other committees, and (II) governing any general or specific delegation of any authority or function of the commission;

(iv) Providing reasonable procedures for calling and conducting meetings of the commission that consists of a majority of commission members, ensuring reasonable advance notice of each such meeting and providing for the right of citizens to attend each such meeting with enumerated exceptions designed to protect the public's interest, the privacy of individuals, and insurers' proprietary information, including trade secrets. The commission may meet in camera only after a majority of the entire membership votes to close a meeting in toto or in part. As soon as practicable, the commission must make public (I) a copy of the vote to close the meeting revealing the vote of each member with no proxy votes allowed, and (II) votes taken during such meeting;

(v) Establishing the titles, duties and authority and reasonable procedures for the election of the officers of the commission;

(vi) Providing reasonable standards and procedures for the establishment of the personnel policies and programs of the commission. Notwithstanding any civil service or other similar laws of any compacting state, the bylaws shall exclusively govern the personnel policies and programs of the commission;

(vii) Promulgating a code of ethics to address permissible and prohibited activities of commission members and employees; and

(viii) Providing a mechanism for winding up the operations of the commission and the equitable disposition of any surplus funds that may exist after the termination of the compact after the payment and/or reserving of all of its debts and obligations.

d. The commission shall publish its bylaws in a convenient form and file a copy thereof and a copy of any amendment thereto, with the appropriate agency or officer in each of the compacting states.

Section 2. Management Committee, Officers and Personnel

a. A management committee comprising no more than fourteen members shall be established as follows:

(i) One member from each of the six compacting states with the largest premium volume for individual and group annuities, life, disability income and long-term care insurance products, determined from the records of the National Association of Insurance Commissioners for the prior year;

(ii) Four members from those compacting states with at least two per cent of the market based on the premium volume described above, other than the six compacting states with the largest premium volume, selected on a rotating basis as provided in the bylaws; and

(iii) Four members from those compacting states with less than two per cent of the market, based on the premium volume described above, with one selected from each of the four zone regions of the National Association of Insurance Commissioners as provided in the bylaws.

b. The management committee shall have such authority and duties as may be set forth in the bylaws, including, but not limited to:

(i) Managing the affairs of the commission in a manner consistent with the bylaws and purposes of the commission;

(ii) Establishing and overseeing an organizational structure within, and appropriate procedures for, the commission to provide for the creation of uniform standards and other rules, receipt and review of product filings, administrative and technical support functions, review of decisions regarding the disapproval of a product filing, and the review of elections made by a compacting state to opt out of a uniform standard; provided that a uniform standard shall not be submitted to the compacting states for adoption unless approved by two-thirds of the members of the management committee;

(iii) Overseeing the offices of the commission; and

(iv) Planning, implementing, and coordinating communications and activities with other state, federal and local government organizations in order to advance the goals of the commission.

c. The commission shall elect annually officers from the management committee, with each having such authority and duties, as may be specified in the bylaws.

d. The management committee may, subject to the approval of the commission, appoint or retain an executive director for such period, upon such terms and conditions and for such compensation as the commission may deem appropriate. The executive director shall serve as secretary to the commission, but shall not be a member of the commission. The executive director shall hire and supervise such other staff as may be authorized by the commission.

Section 3. Legislative and Advisory Committees

a. A legislative committee comprising state legislators or their designees shall be established to monitor the operations of, and make recommendations to, the commission, including the management committee; provided that the manner of selection and term of any legislative committee member shall be as set forth in the bylaws. Prior to the adoption by the commission of any uniform standard, revision to the bylaws, annual budget or other significant matter as may be provided in the bylaws, the management committee shall consult with and report to the legislative committee.

b. The commission shall establish two advisory committees, one of which shall comprise consumer representatives independent of the insurance industry, and the other comprising insurance industry representatives.

c. The commission may establish additional advisory committees as its bylaws may provide for the carrying out of its functions.

Section 4. Corporate Records of the Commission

The commission shall maintain its corporate books and records in accordance with the bylaws.

Section 5. Qualified Immunity, Defense and Indemnification

a. The members, officers, executive director, employees and representatives of the commission shall be immune from suit and liability, either personally or in their official capacity, for any claim for damage to or loss of property or personal injury or other civil liability caused by or arising out of any actual or alleged act, error or omission that occurred, or that the person against whom the claim is made had a reasonable basis for believing occurred within the scope of commission employment, duties or responsibilities; provided, that nothing in this paragraph shall be construed to protect any such person from suit and/or liability for any damage, loss, injury or liability caused by the intentional or wilful and wanton misconduct of that person.

b. The commission shall defend any member, officer, executive director, employee or representative of the commission in any civil action seeking to impose liability arising out of any actual or alleged act, error or omission that occurred within the scope of commission employment, duties or responsibilities, or that the person against whom the claim is made had a reasonable basis for believing occurred within the scope of commission employment, duties or responsibilities; provided, that nothing herein shall be construed to prohibit that person from retaining counsel; and provided further, that the actual or alleged act, error or omission did not result from that person's intentional or wilful and wanton misconduct.

c. The commission shall indemnify and hold harmless any member, officer, executive director, employee or representative of the commission for the amount of any settlement or judgment obtained against that person arising out of any actual or alleged act, error or omission that occurred within the scope of commission employment, duties or responsibilities, or that such person had a reasonable basis for believing occurred within the scope of commission employment, duties or responsibilities, provided, that the actual or alleged act, error or omission did not result from the intentional or wilful and wanton misconduct of that person.

ARTICLE VI

MEETINGS AND ACTS OF THE COMMISSION

1. The commission shall meet and take such actions as are consistent with the provisions of this compact and the bylaws.

2. Each member of the commission shall have the right and power to cast a vote to which that compacting state is entitled and to participate in the business and affairs of the commission. A member shall vote in person or by such other means as provided in the bylaws. The bylaws may provide for members' participation in meetings by telephone or other means of communication.

3. The commission shall meet at least once during each calendar year. Additional meetings shall be held as set forth in the bylaws.

ARTICLE VII

RULES AND OPERATING PROCEDURES: RULEMAKING
FUNCTIONS OF THE COMMISSION AND OPTING OUT OF
UNIFORM STANDARDS

1. The commission shall promulgate reasonable rules, including uniform standards, and operating procedures in order to effectively and efficiently achieve the purposes of this compact. Notwithstanding the foregoing, in the event the commission exercises its rulemaking authority in a manner that is beyond the scope of the purposes of this compact, or the powers granted hereunder, then such an action by the commission shall be invalid and have no force and effect.

2. Rules and operating procedures shall be made pursuant to a rulemaking process that conforms to the Model State Administrative Procedure Act of 1981 as amended, as may be appropriate to the operations of the commission. Before the commission adopts a uniform standard, the commission shall give written notice to the relevant state legislative committees in each compacting state responsible for insurance issues of its intention to adopt the uniform standard. The commission in adopting a uniform standard shall consider fully all submitted materials and issue a concise explanation of its decision.

3. A uniform standard shall become effective ninety days after its promulgation by the commission or such later date as the commission may determine; provided, however, that a compacting state may opt out of a uniform standard as provided in this article. “Opt out” shall be defined as any action by a compacting state to decline to adopt or participate in a promulgated uniform standard. All other rules and operating procedures, and amendments thereto, shall become effective as of the date specified in each rule, operating procedure or amendment.

4. A compacting state may opt out of a uniform standard, either by legislation or regulation duly promulgated by the Insurance Department under the compacting state's administrative procedure act. If a compacting state elects to opt out of a uniform standard by regulation, it must:

a. Give written notice to the commission no later than ten business days after the uniform standard is promulgated, or at the time the state becomes a compacting state; and

b. Find that the uniform standard does not provide reasonable protections to the citizens of the state, given the conditions in the state. The commissioner shall make specific findings of fact and conclusions of law, based on a preponderance of the evidence, detailing the conditions in the state which warrant a departure from the uniform standard and determining that the uniform standard would not reasonably protect the citizens of the state. The commissioner must consider and balance the following factors and find that the conditions in the state and needs of the citizens of the state outweigh: (i) The intent of the legislature to participate in, and the benefits of, an interstate agreement to establish national uniform consumer protections for the products subject to this compact; and (ii) the presumption that a uniform standard adopted by the commission provides reasonable protections to consumers of the relevant product. Notwithstanding the foregoing, a compacting state may, at the time of its enactment of this compact, prospectively opt out of all uniform standards involving long-term care insurance products by expressly providing for such opt out in the enacted compact, and such an opt out shall not be treated as a material variance in the offer or acceptance of any state to participate in this compact. Such an opt out shall be effective at the time of enactment of this compact by the compacting state and shall apply to all existing uniform standards involving long-term care insurance products and those subsequently promulgated.

5. If a compacting state elects to opt out of a uniform standard, the uniform standard shall remain applicable in the compacting state electing to opt out until such time the opt out legislation is enacted into law or the regulation opting out becomes effective. Once the opt out of a uniform standard by a compacting state becomes effective as provided under the laws of that state, the uniform standard shall have no further force and effect in that state unless and until the legislation or regulation implementing the opt out is repealed or otherwise becomes ineffective under the laws of the state. If a compacting state opts out of a uniform standard after the uniform standard has been made effective in that state, the opt out shall have the same prospective effect as provided under Article XIV of this compact for withdrawals.

6. If a compacting state has formally initiated the process of opting out of a uniform standard by regulation, and while the regulatory opt out is pending, the compacting state may petition the commission, at least fifteen days before the effective date of the uniform standard, to stay the effectiveness of the uniform standard in that state. The commission may grant a stay if it determines the regulatory opt out is being pursued in a reasonable manner and there is a likelihood of success. If a stay is granted or extended by the commission, the stay or extension thereof may postpone the effective date by up to ninety days, unless affirmatively extended by the commission; provided, a stay may not be permitted to remain in effect for more than one year unless the compacting state can show extraordinary circumstances which warrant a continuance of the stay, including, but not limited to, the existence of a legal challenge which prevents the compacting state from opting out. A stay may be terminated by the commission upon notice that the rulemaking process has been terminated.

7. Not later than thirty days after a rule or operating procedure is promulgated, any person may file a petition for judicial review of the rule or operating procedure; provided, that the filing of such a petition shall not stay or otherwise prevent the rule or operating procedure from becoming effective unless the court finds that the petitioner has a substantial likelihood of success. The court shall give deference to the actions of the commission consistent with applicable law and shall not find the rule or operating procedure to be unlawful if the rule or operating procedure represents a reasonable exercise of the commission's authority.

ARTICLE VIII

COMMISSION RECORDS AND ENFORCEMENT

1. The commission shall promulgate rules establishing conditions and procedures for public inspection and copying of its information and official records, except such information and records involving the privacy of individuals and insurers' trade secrets. The commission may promulgate additional rules under which it may make available to federal and state agencies, including law enforcement agencies, records and information otherwise exempt from disclosure, and may enter into agreements with such agencies to receive or exchange information or records subject to nondisclosure and confidentiality provisions.

2. Except as to privileged records, data and information, the laws of any compacting state pertaining to confidentiality or nondisclosure shall not relieve any compacting state commissioner of the duty to disclose any relevant records, data or information to the commission; provided, that disclosure to the commission shall not be deemed to waive or otherwise affect any confidentiality requirement; and further provided, that, except as otherwise expressly provided in this compact, the commission shall not be subject to the compacting state's laws pertaining to confidentiality and nondisclosure with respect to records, data and information in its possession. Confidential information of the commission shall remain confidential after such information is provided to any commissioner.

3. The commission shall monitor compacting states for compliance with duly adopted bylaws, rules, including uniform standards, and operating procedures. The commission shall notify any non-complying compacting state in writing of its noncompliance with commission bylaws, rules or operating procedures. If a non-complying compacting state fails to remedy its noncompliance within the time specified in the notice of noncompliance, the compacting state shall be deemed to be in default as set forth in Article XIV of this compact.

4. The commissioner of any state in which an insurer is authorized to do business, or is conducting the business of insurance, shall continue to exercise the commissioner's authority to oversee the market regulation of the activities of the insurer in accordance with the provisions of the state's law. The commissioner's enforcement of compliance with the compact is governed by the following provisions:

a. With respect to the commissioner's market regulation of a product or advertisement that is approved or certified to the commission, the content of the product or advertisement shall not constitute a violation of the provisions, standards or requirements of the compact except upon a final order of the commission, issued at the request of a commissioner after prior notice to the insurer and an opportunity for hearing before the commission.

b. Before a commissioner may bring an action for violation of any provision, standard or requirement of the compact relating to the content of an advertisement not approved or certified to the commission, the commission, or an authorized commission officer or employee, must authorize the action. However, authorization pursuant to this paragraph does not require notice to the insurer, opportunity for hearing or disclosure of requests for authorization or records of the commission's action on such requests.

ARTICLE IX

DISPUTE RESOLUTION

The commission shall attempt, upon the request of a member, to resolve any disputes or other issues that are subject to this compact and which may arise between two or more compacting states, or between compacting states and non-compacting states, and the commission shall promulgate an operating procedure providing for resolution of such disputes.

ARTICLE X

PRODUCT FILING AND APPROVAL

1. Insurers and third-party filers seeking to have a product approved by the commission shall file the product with, and pay applicable filing fees to, the commission. Nothing in this compact shall be construed to restrict or otherwise prevent an insurer from filing its product with the insurance department in any state wherein the insurer is licensed to conduct the business of insurance, and such filing shall be subject to the laws of the states where filed.

2. The commission shall establish appropriate filing and review processes and procedures pursuant to commission rules and operating procedures. Notwithstanding any provision herein to the contrary, the commission shall promulgate rules to establish conditions and procedures under which the commission will provide public access to product filing information. In establishing such rules, the commission shall consider the interests of the public in having access to such information, as well as protection of personal medical and financial information and trade secrets, that may be contained in a product filing or supporting information.

3. Any product approved by the commission may be sold or otherwise issued in those compacting states for which the insurer is legally authorized to do business.

ARTICLE XI

REVIEW OF COMMISSION DECISIONS REGARDING FILINGS

1. Not later than thirty days after the commission has given notice of a disapproved product or advertisement filed with the commission, the insurer or third-party filer whose filing was disapproved may appeal the determination to a review panel appointed by the commission. The commission shall promulgate rules to establish procedures for appointing such review panels and provide for notice and hearing. An allegation that the commission, in disapproving a product or advertisement filed with the commission, acted arbitrarily, capriciously, or in a manner that is an abuse of discretion or otherwise not in accordance with the law, is subject to judicial review in accordance with Article III, section 4 of this compact.

2. The commission shall have authority to monitor, review and reconsider products and advertisement subsequent to their filing or approval upon a finding that the product does not meet the relevant uniform standard. Where appropriate, the commission may withdraw or modify its approval after proper notice and hearing, subject to the appeal process in section 1 of this article.

ARTICLE XII

FINANCE

1. The commission shall pay or provide for the payment of the reasonable expenses of its establishment and organization. To fund the cost of its initial operations, the commission may accept contributions and other forms of funding from the National Association of Insurance Commissioners, compacting states and other sources. Contributions and other forms of funding from other sources shall be of such a nature that the independence of the commission concerning the performance of its duties shall not be compromised.

2. The commission shall collect a filing fee from each insurer and third-party filer filing a product with the commission to cover the cost of the operations and activities of the commission and its staff in a total amount sufficient to cover the commission's annual budget.

3. The commission's budget for a fiscal year shall not be approved until it has been subject to notice and comment as set forth in Article VII of this compact.

4. The commission shall be exempt from all taxation in and by the compacting states.

5. The commission shall not pledge the credit of any compacting state, except by and with the appropriate legal authority of that compacting state.

6. The commission shall keep complete and accurate accounts of all its internal receipts, including grants and donations, and disbursements of all funds under its control. The internal financial accounts of the commission shall be subject to the accounting procedures established under its bylaws. The financial accounts and reports including the system of internal controls and procedures of the commission shall be audited annually by an independent certified public accountant. Upon the determination of the commission, but no less frequently than every three years, the review of the independent auditor shall include a management and performance audit of the commission. The commission shall make an annual report to the governor and legislature of the compacting states, which shall include a report of the independent audit. The commission's internal accounts shall not be confidential and such materials may be shared with the commissioner of any compacting state upon request provided, however, that any work papers related to any internal or independent audit and any information regarding the privacy of individuals and insurers' proprietary information, including trade secrets, shall remain confidential.

7. No compacting state shall have any claim to or ownership of any property held by or vested in the commission or to any commission funds held pursuant to the provisions of this compact.

ARTICLE XIII

COMPACTING STATES, EFFECTIVE DATE AND AMENDMENT

1. Any state is eligible to become a compacting state.

2. The compact shall become effective and binding upon legislative enactment of the compact into law by two compacting states; provided, the commission shall become effective for purposes of adopting uniform standards for, reviewing, and giving approval or disapproval of, products filed with the commission that satisfy applicable uniform standards only after twenty-six states are compacting states or, alternatively, by states representing greater than forty per cent of the premium volume for life insurance, annuity, disability income and long-term care insurance products, based on records of the National Association of Insurance Commissioners for the prior year. Thereafter, it shall become effective and binding as to any other compacting state upon enactment of the compact into law by that state.

3. Amendments to the compact may be proposed by the commission for enactment by the compacting states. No amendment shall become effective and binding upon the commission and the compacting states unless and until all compacting states enact the amendment into law.

ARTICLE XIV

WITHDRAWAL, DEFAULT AND TERMINATION

Section 1. Withdrawal

a. Once effective, the compact shall continue in force and remain binding upon each and every compacting state; provided, that a compacting state may withdraw from the compact (“withdrawing state”) by enacting a statute specifically repealing the statute which enacted the compact into law.

b. The effective date of withdrawal is the effective date of the repealing statute. However, the withdrawal shall not apply to any product filings approved or self-certified, or any advertisement of such products, on the date the repealing statute becomes effective, except by mutual agreement of the commission and the withdrawing state unless the approval is rescinded by the withdrawing state as provided in paragraph e. of this section.

c. The commissioner of the withdrawing state shall immediately notify the management committee in writing upon the introduction of legislation repealing this compact in the withdrawing state.

d. The commission shall notify the other compacting states of the introduction of such legislation within ten days after its receipt of notice thereof.

e. The withdrawing state is responsible for all obligations, duties and liabilities incurred through the effective date of withdrawal, including any obligations, the performance of which extend beyond the effective date of withdrawal, except to the extent those obligations may have been released or relinquished by mutual agreement of the commission and the withdrawing state. The commission's approval of products and advertisement prior to the effective date of withdrawal shall continue to be effective and be given full force and effect in the withdrawing state, unless formally rescinded by the withdrawing state in the same manner as provided by the laws of the withdrawing state for the prospective disapproval of products or advertisement previously approved under state law.

f. Reinstatement following withdrawal of any compacting state shall occur upon the effective date of the withdrawing state reenacting the compact.

Section 2. Default

a. If the commission determines that any compacting state has at any time defaulted (“defaulting state”) in the performance of any of its obligations or responsibilities under this compact, the bylaws or duly promulgated rules or operating procedures, then, after notice and hearing as set forth in the bylaws, all rights, privileges and benefits conferred by this compact on the defaulting state shall be suspended from the effective date of default as fixed by the commission. The grounds for default include, but are not limited to, failure of a compacting state to perform its obligations or responsibilities, and any other grounds designated in commission rules. The commission shall immediately notify the defaulting state in writing of the defaulting state's suspension pending a cure of the default. The commission shall stipulate the conditions and the time period within which the defaulting state must cure its default. If the defaulting state fails to cure the default within the time period specified by the commission, the defaulting state shall be terminated from the compact and all rights, privileges and benefits conferred by this compact shall be terminated from the effective date of termination.

b. Product approvals by the commission or product self-certifications, or any advertisement in connection with such product, that are in force on the effective date of termination shall remain in force in the defaulting state in the same manner as if the defaulting state had withdrawn voluntarily pursuant to section 1 of this article.

c. Reinstatement following termination of any compacting state requires a reenactment of the compact.

Section 3. Dissolution of Compact

a. The compact dissolves effective upon the date of the withdrawal or default of the compacting state which reduces membership in the compact to one compacting state.

b. Upon the dissolution of this compact, the compact becomes null and void and shall be of no further force or effect, and the business and affairs of the commission shall be wound up and any surplus funds shall be distributed in accordance with the bylaws.

ARTICLE XV

SEVERABILITY AND CONSTRUCTION

1. The provisions of this compact shall be severable; and if any phrase, clause, sentence or provision is deemed unenforceable, the remaining provisions of the compact shall be enforceable.

2. The provisions of this compact shall be liberally construed to effectuate its purposes.

ARTICLE XVI

BINDING EFFECT OF COMPACT AND OTHER LAWS

Section 1. Other Laws

a. Nothing herein prevents the enforcement of any other law of a compacting state, except as provided in paragraph b. of this section.

b. For any product approved or certified to the commission, the rules, uniform standards and any other requirements of the commission shall constitute the exclusive provisions applicable to the content, approval and certification of such products. For advertisement that is subject to the commission's authority, any rule, uniform standard or other requirement of the commission which governs the content of the advertisement shall constitute the exclusive provision that a commissioner may apply to the content of the advertisement. Notwithstanding the foregoing, no action taken by the commission shall abrogate or restrict:

(i) The access of any person to state courts;

(ii) Remedies available under state law related to breach of contract, tort, or other laws not specifically directed to the content of the product;

(iii) State law relating to the construction of insurance contracts; or

(iv) The authority of the attorney general of the state, including, but not limited to, maintaining any actions or proceedings, as authorized by law.

c. All insurance products filed with individual states shall be subject to the laws of those states.

Section 2. Binding Effect of this Compact

a. All lawful actions of the commission, including all rules and operating procedures promulgated by the commission, are binding upon the compacting states.

b. All agreements between the commission and the compacting states are binding in accordance with their terms.

c. Upon the request of a party to a conflict over the meaning or interpretation of commission actions, and upon a majority vote of the compacting states, the commission may issue advisory opinions regarding the meaning or interpretation in dispute.

d. In the event any provision of this compact exceeds the constitutional limits imposed on the legislature of any compacting state, the obligations, duties, powers or jurisdiction sought to be conferred by that provision upon the commission shall be ineffective as to that compacting state, and those obligations, duties, powers or jurisdiction shall remain in the compacting state and shall be exercised by the agency thereof to which those obligations, duties, powers or jurisdiction are delegated by law in effect at the time this compact becomes effective.

ARTICLE XVII

STATE OF CONNECTICUT OPT OUT

In accordance with the provisions of Article VII, section 4 of this compact, the state of Connecticut opts out of all existing and prospective uniform standards involving long-term care insurance products in order to preserve the state's statutory requirements governing these insurance products.

(P.A. 16-119, S. 1; P.A. 19-125, S. 2.)

History: P.A. 16-119 effective July 1, 2017; P.A. 19-125 amended Art. XVII by deleting “and all existing uniform standards involving disability income insurance products”, effective July 1, 2019.

PART VI

INSURANCE DATA SECURITY LAW

Sec. 38a-38. (Note: This section is effective October 1, 2020.) Insurance Data Security Law. Regulations. (a) Title. This section may be cited as the “Insurance Data Security Law”.

(b) Definitions. For the purposes of this section:

(1) “Authorized individual” means an individual who is known to, and screened by, a licensee, and who is determined to be necessary and appropriate to have access to the nonpublic information that is held by the licensee and on such licensee's information systems.

(2) “Consumer” means an individual, including, but not limited to, an applicant, beneficiary, certificate holder, claimant, insured or policyholder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody or control.

(3) “Cybersecurity event” means an event resulting in any unauthorized access to, or disruption or misuse of, an information system or the information stored thereon, except if: (A) The event involves the unauthorized acquisition of encrypted nonpublic information if the encryption process for such information or encryption key to such information is not acquired, released or used without authorization; or (B) the event involves access of nonpublic information by an unauthorized person and the licensee determines that such information has not been used or released and has been returned or destroyed.

(4) “Encryption” means the transformation of data or information into a form that results in a low probability of assigning meaning to such data or information without the use of a protective process or key.

(5) “Information security program” means the administrative, technical and physical safeguards that a licensee uses to access, collect, distribute, process, protect, store, use, transmit, dispose of or otherwise handle nonpublic information.

(6) “Information system” means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic data or information, as well as any specialized system such as an industrial or process controls system, telephone switching and private branch exchange system, and environmental control system.

(7) “Licensee” means any person licensed, authorized to operate or registered, or required to be licensed, authorized to operate or registered, pursuant to the insurance laws of this state, except for a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer and domiciled in another state or jurisdiction.

(8) “Multifactor authentication” means authentication through verification of at least two of the following types of authentication factors: (A) A knowledge factor, including, but not limited to, a password; (B) a possession factor, including, but not limited to, a token or text message on a mobile phone; or (C) an inheritance factor, including, but not limited to, a biometric characteristic.

(9) “Nonpublic information” means data and information, other than publicly available information and information concerning a consumer's age or gender, that: (A) Concerns the business of a licensee and that, if accessed, disclosed, tampered with or used without authorization from the licensee, would have a material adverse impact on the business, operations or security of such licensee; (B) concerns a consumer and that, because such data or information contains a name, number, personal mark or other identifier, can be used to identify such consumer in combination with: (i) A Social Security number; (ii) a driver's license number or nondriver identification card number; (iii) an account, credit or debit card number; (iv) an access or security code, or a password, that would permit access to the consumer's financial account; or (v) a biometric record; or (C) is in a form or medium created by, or derived from, a health care provider or consumer and concerns: (i) The past, present or future physical, mental or behavioral health or condition of a consumer or a member of a consumer's family; (ii) the provision of health care to a consumer; or (iii) payment for the provision of health care to a consumer.

(10) “Person” means any individual or any nongovernmental entity, including, but not limited to, any nongovernmental partnership, corporation, branch, agency or association.

(11) “Publicly available information” means data or information that: (A) (i) Must be disclosed to the general public pursuant to applicable law; or (ii) may be made available to the general public from government records or widely distributed media; and (B) a licensee reasonably believes, after investigation: (i) Is of a type that is available to the general public; and (ii) the consumer has not directed to be withheld from the general public, if the consumer may direct that such data or information be withheld from the general public pursuant to applicable law.

(12) “Risk assessment” means the risk assessment that each licensee is required to conduct pursuant to subdivision (3) of subsection (c) of this section.

(13) “Third-party service provider” means a person, other than a licensee, that: (A) Contracts with a licensee to maintain, process or store nonpublic information; or (B) is otherwise permitted to access nonpublic information through the person's provision of services to a licensee.

(c) Information Security Program. (1) Implementation of an information security program. Except as provided in subdivision (10) of this subsection, each licensee shall, not later than October 1, 2020, develop, implement and maintain a comprehensive written information security program that is based on the licensee's risk assessment and contains the administrative, technical and physical safeguards for the protection of nonpublic information and such licensee's information systems. Each information security program shall be commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including, but not limited to, such licensee's use of third-party service providers, and the sensitivity of the nonpublic information used by such licensee or in such licensee's possession, custody or control.

(2) Objectives of Information Security Program. Except as provided in subdivision (10) of this subsection, each information security program developed, implemented and maintained by a licensee pursuant to subdivision (1) of this subsection shall:

(A) Be designed to:

(i) Protect the security and confidentiality of the nonpublic information and the security of the information system;

(ii) Protect against all threats and hazards to the security or integrity of nonpublic information and the information system; and

(iii) Protect against unauthorized access to, or use of, nonpublic information and minimize the likelihood of harm to any consumer; and

(B) Define, and periodically reevaluate, a schedule for retention of nonpublic information and a mechanism for the destruction of such information when such information no longer is needed.

(3) Risk Assessment. Except as provided in subdivision (10) of this subsection, each licensee shall:

(A) Designate one or more employees, an affiliate or an outside vendor designated to act on behalf of such licensee as the person responsible for such licensee's information security program;

(B) Identify reasonably foreseeable internal or external threats that could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of nonpublic information, including, but not limited to, the security of information systems that are, and nonpublic information that is, accessible to, or held by, third-party service providers;

(C) Assess the likelihood and potential damage of the threats identified pursuant to subparagraph (B) of this subdivision, taking into consideration the sensitivity of the nonpublic information;

(D) Assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage the threats identified pursuant to subparagraph (B) of this subdivision by considering such threats in the following areas of such licensee's operations:

(i) Employee training and management;

(ii) Information systems, including, but not limited to, network and software design, as well as information classification, governance, processing, storage, transmission and disposal; and

(iii) Detection, prevention and response to attacks, intrusions or other systems failures;

(E) Implement information safeguards to manage the threats identified in such licensee's ongoing assessment; and

(F) Not less than annually, assess the effectiveness of such licensee's safeguards' key controls, systems and procedures.

(4) Risk Management. Except as provided in subdivision (10) of this subsection, each licensee shall, based on such licensee's risk assessment:

(A) Design such licensee's information security program to mitigate the identified risks, commensurate with the size and complexity of such licensee's activities, including, but not limited to, such licensee's use of third-party service providers, and the sensitivity of the nonpublic information used by such licensee or in such licensee's possession, custody or control.

(B) Determine which of the following security measures are appropriate and, if such measures are appropriate, implement such measures:

(i) Placement of access controls on such licensee's information systems, including, but not limited to, controls to authenticate and restrict access only to authorized individuals to protect against the unauthorized acquisition of nonpublic information;

(ii) Identification and management of the data, personnel, devices, systems and facilities that enable such licensee to achieve such licensee's business purposes in accordance with their relative importance to such licensee's business objectives and risk strategy;

(iii) Restriction of access to physical locations containing nonpublic information only to authorized individuals;

(iv) Protection, by encryption or other appropriate means, of all nonpublic information while such information is transmitted over an external network or stored on a laptop computer or other portable computing or storage device or medium;

(v) Adoption of secure development practices for in-house developed applications utilized by such licensee and procedures for evaluating, assessing or testing the security of externally developed applications utilized by such licensee;

(vi) Modification of such licensee's information system in accordance with such licensee's information security program;

(vii) Utilization of effective controls, which may include multifactor authentication procedures for any individual accessing nonpublic information;

(viii) Regular testing and monitoring of systems and procedures to detect actual and attempted attacks on, or intrusions into, information systems;

(ix) Inclusion of audit trails within the information security program that are designed to detect and respond to cybersecurity events, and designed to reconstruct material financial transactions sufficient to support the normal operations and obligations of the licensee;

(x) Implementation of measures to protect against the destruction, loss or damage of nonpublic information due to environmental hazards, including, but not limited to, fire and water, or other catastrophes or technological failures; and

(xi) Development, implementation and maintenance of procedures for the secure disposal of nonpublic information in any format.

(C) Include cybersecurity risks in such licensee's enterprise risk management process.

(D) Stay informed regarding emerging threats or vulnerabilities and utilize reasonable security measures when sharing information relative to the character of the sharing and the type of information shared.

(E) Provide such licensee's personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by such licensee in such licensee's risk assessment.

(5) Oversight by Board of Directors. Except as provided in subdivision (10) of this subsection, if a licensee has a board of directors, the board, or an appropriate committee of such board, shall, at a minimum:

(A) Require the licensee's executive management or its delegates to develop, implement and maintain such licensee's information security program.

(B) Require the licensee's executive management or its delegates to report, in writing and at least annually, the following information:

(i) The overall status of such licensee's information security program and such licensee's compliance with this section; and

(ii) Material matters related to such licensee's information security program, addressing issues such as risk assessment, risk management and control decisions, third-party service provider arrangements, results of testing, cybersecurity events or violations and management's responses thereto, and recommendations for changes in such information security program.

(C) If a licensee's executive management delegates any of its responsibilities under subparagraph (A) or (B) of this subdivision, it shall oversee the development, implementation and maintenance of the licensee's information security program prepared by the delegate or delegates, and shall receive a report from such delegate or delegates that satisfies the requirements established in subparagraph (B) of this subdivision.

(6) Oversight of Third-Party Service Provider Arrangements. Except as provided in subdivision (10) of this subsection:

(A) Each licensee shall exercise due diligence in selecting such licensee's third-party service providers; and

(B) Not later than October 1, 2021, each licensee shall require each of such licensee's third-party service providers to implement appropriate administrative, technical and physical measures to protect and secure the information systems that are, and nonpublic information that is, accessible to, or held by, such licensee's third-party service providers.

(7) Program Adjustments. Except as provided in subdivision (10) of this subsection, each licensee shall monitor, evaluate and adjust, as appropriate, such licensee's information security program consistent with any relevant changes in technology, the sensitivity of such licensee's nonpublic information, internal or external threats to such information and such licensee's own changing business arrangements, including, but not limited to, changes stemming from mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to information systems.

(8) Incident Response Plan. (A) Except as provided in subdivision (10) of this subsection, each licensee shall, as part of such licensee's information security program, establish a written incident response plan that is designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity or availability of nonpublic information that is in such licensee's possession, custody or control, such licensee's information systems or the continuing functionality of any aspect of such licensee's business or operations.

(B) Each incident response plan shall address the following areas:

(i) The internal process for responding to a cybersecurity event;

(ii) The goals of such incident response plan;

(iii) The definition of clear roles, responsibilities and levels of decision-making authority;

(iv) External and internal communications;

(v) Information sharing;

(vi) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

(vii) Documentation and reporting regarding cybersecurity events and related incident response activities; and

(viii) Evaluation and revision, as necessary, of such incident response plan following each cybersecurity event.

(9) Annual Certification to Commissioner of Domiciliary State. Except as provided in subdivision (10) of this subsection, each insurer domiciled in this state shall submit to the Insurance Commissioner a written statement, not later than February fifteenth, annually, certifying that such insurer is in compliance with the requirements set forth in this subsection. Each insurer shall maintain, for examination by the Insurance Department, all records, schedules and data supporting each statement that such insurer submits to the commissioner for a period of five years. To the extent an insurer has identified areas, systems or processes that require material improvement, updating or redesign, the insurer shall document such identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the commissioner.

(10) Exceptions. (A) The following exceptions shall apply to this subsection:

(i) (I) During the period beginning on October 1, 2020, and ending on September 30, 2021, each licensee with fewer than twenty employees, which, for the purposes of this subclause, includes independent contractors having access to the nonpublic information used by such licensee or in such licensee's possession, custody or control, shall be exempt from this subsection; and

(II) On and after October 1, 2021, each licensee with fewer than ten employees, which, for the purposes of this subclause, includes independent contractors having access to the nonpublic information used by such licensee or in such licensee's possession, custody or control, shall be exempt from this subsection;

(ii) Each licensee that is subject to the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as amended from time to time, and has established and maintains an information security program pursuant to said act and the rules, regulations, procedures or guidelines established thereunder, shall be deemed to have satisfied the requirements of this subsection, provided such licensee is in compliance therewith and submits to the Insurance Commissioner a written statement certifying such licensee's compliance therewith;

(iii) Each employee, agent, representative or designee of a licensee, who is also a licensee, shall be exempt from the provisions of this subsection and need not develop its own information security program to the extent that such employee, agent representative or designee is covered by the other licensee's information security program; and

(iv) Each licensee that has established and maintains an information security program in compliance with the statutes, rules and regulations of a jurisdiction approved by the commissioner pursuant to regulations adopted pursuant to subsection (i) of this section shall be deemed to have satisfied the provisions of this subsection, provided such licensee is in compliance therewith and submits to the commissioner, not later than February fifteenth, annually, a written statement certifying such licensee's compliance therewith.

(B) In the event that a licensee ceases to qualify for an exception under this subdivision, the licensee shall have one hundred eighty days to comply with this subsection.

(d) Investigation of a Cybersecurity Event. (1) If a licensee learns that a cybersecurity event has, or may have, occurred, the licensee, or an outside vendor or service provider, or both, designated to act on behalf of such licensee, shall conduct a prompt investigation in accordance with the provisions of this subsection.

(2) During any investigation conducted pursuant to subdivision (1) of this subsection, the licensee or the outside vendor or service provider, or both, shall, at a minimum and to the extent possible:

(A) Determine whether the cybersecurity event occurred; and

(B) If the cybersecurity event occurred:

(i) Assess the nature and scope of such cybersecurity event;

(ii) Identify the nonpublic information, if any, that may have been involved in such cybersecurity event; and

(iii) Perform or oversee reasonable measures to restore the security of the information systems compromised in such cybersecurity event in order to prevent further unauthorized acquisition, release or use of nonpublic information that is in the licensee's possession, custody or control.

(3) If a licensee learns that a cybersecurity event has, or may have, occurred in a system maintained by a third-party service provider, the licensee shall complete the steps listed in subdivision (2) of this subsection or confirm and document that the third-party service provider has completed such steps.

(4) Each licensee that is subject to the provisions of this subsection shall maintain records concerning each cybersecurity event for a period of at least five years from the date of such cybersecurity event, and shall produce such records to the Insurance Commissioner upon demand by the commissioner.

(e) Notification of a Cybersecurity Event. (1) Notification to the Commissioner. Each licensee shall notify the Insurance Commissioner that a cybersecurity event has occurred, as promptly as possible but in no event later than three business days after the date of the cybersecurity event, if:

(A) Such licensee is an insurer and this state is the insurer's state of domicile, or the licensee is an insurance producer, as defined in section 38a-702a, and this state is the insurance producer's home state, as defined in section 38a-702a; and

(B) The licensee reasonably believes that the nonpublic information involved in the cybersecurity event is of two hundred fifty or more consumers residing in this state and:

(i) State or federal law requires that a notice concerning such cybersecurity event be provided to a government body, self-regulatory agency or another supervisory body; or

(ii) It is reasonably likely that such cybersecurity event will materially harm:

(I) A consumer residing in this state; or

(II) A material part of such licensee's normal operations.

(2) Information to Be Provided to Commissioner. (A) Each licensee that notifies the Insurance Commissioner pursuant to subdivision (1) of this subsection shall provide to the commissioner, in an electronic form prescribed by the commissioner, as much of the following information as possible:

(i) The date of the cybersecurity event;

(ii) A description of how the information was exposed, lost, stolen or breached, including, but not limited to, the specific roles and responsibilities of third-party service providers, if any;

(iii) How the cybersecurity event was discovered;

(iv) Whether any lost, stolen or breached information has been recovered and, if so, how such information was recovered;

(v) The identity of the source of the cybersecurity event;

(vi) Whether such licensee has filed a police report or notified any regulatory, government or law enforcement agency, and, if so, when such licensee filed such report or provided such notice;

(vii) A description of the specific types of exposed, lost, stolen or breached information, including, for example, specific types of medical information, financial information or information allowing identification of a consumer;

(viii) The period during which each information system that was compromised by the cybersecurity event was compromised by such cybersecurity event;

(ix) The number of total consumers in this state affected by the cybersecurity event;

(x) The results of an internal review identifying any lapse in automated controls or internal procedures, or confirming that all such controls and procedures were followed;

(xi) A description of any efforts being undertaken to remediate the situation that permitted the cybersecurity event to occur;

(xii) A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event; and

(xiii) The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.

(B) Each licensee that provides information to the Insurance Commissioner pursuant to subparagraph (A) of this subdivision shall have a continuing obligation to update and supplement such information.

(3) Notification to Consumers. Each licensee shall comply with all applicable provisions of section 36a-701b, and provide to the Insurance Commissioner a copy of the notice that such licensee sends to consumers pursuant to said section, if any, if such licensee is required to notify the commissioner pursuant to subdivision (1) of this subsection.

(4) Notice Regarding Cybersecurity Events of Third-Party Service Providers. (A) In the case of a cybersecurity event involving a system maintained by a third-party service provider, each licensee affected by the event shall treat such event, if the licensee as is aware of such event, as such licensee would treat such event under subdivision (1) of this subsection.

(B) The computation of a licensee's deadlines shall begin on the day after a third-party service provider notifies the licensee of the cybersecurity event or such licensee otherwise first becomes aware of such event, whichever is sooner.

(C) Nothing in this section shall prevent or abrogate an agreement between a licensee and another party to fulfill any of the investigation requirements imposed under subsection (d) of this section or the notice requirements imposed under this subsection.

(5) Notice Regarding Cybersecurity Events of Reinsurers to Insurers. (A) (i) In the case of a cybersecurity event involving nonpublic information that is used by a licensee that is acting as an assuming insurer or in the possession, custody or control of a licensee that is acting as an assuming insurer and that does not have a direct contractual relationship with the affected consumers, the assuming insurer shall notify its affected ceding insurers and the insurance regulatory official of its state of domicile not later than seventy-two hours after such assuming insurer discovered that the cybersecurity event had occurred.

(ii) Each ceding insurer that has a direct contractual relationship with the consumers affected by a cybersecurity event shall fulfill the consumer notification requirements imposed under section 36a-701b and any other notification requirements relating to a cybersecurity event imposed under this section.

(B) (i) In the case of a cybersecurity event involving nonpublic information that is in the possession, custody or control of a third-party service provider of a licensee, when the licensee is acting as an assuming insurer, including an assuming insurer that is domiciled in another state or jurisdiction, the assuming insurer shall notify its affected ceding insurers and the insurance regulatory official of its state of domicile not later than seventy-two hours after such assuming insurer received notice from the third-party service provider disclosing that the cybersecurity event occurred.

(ii) Ceding insurers that have a direct contractual relationship with affected consumers shall fulfill the consumer notification requirements imposed under section 36a-701b and any other notification requirements relating to a cybersecurity event imposed under this section.

(6) Notice Regarding Cybersecurity Events of Insurers to Producers of Record. If a cybersecurity event involves nonpublic information that is in the possession, custody or control of a licensee that is an insurer, or a third-party service provider for a licensee that is an insurer, and for which a consumer who is affected by the cybersecurity event accessed such licensee's services through an independent insurance producer, such licensee shall notify the producer of record for such consumer of the occurrence of such cybersecurity event not later than the time at which notice is provided to such consumer, provided such licensee has the current producer of record information for such individual consumer.

(f) Power of Commissioner. (1) The Insurance Commissioner shall have power to examine and investigate into the affairs of a licensee to determine whether the licensee is, or has been, engaged in conduct in this state that violates the provisions of this section. The commissioner's power under this subsection is in addition to the commissioner's powers under sections 38a-14 to 38a-16, inclusive. Any such investigation or examination shall be conducted pursuant to said sections, if applicable.

(2) Whenever the Insurance Commissioner has reason to believe that a licensee is, or has been, engaged in conduct in this state that violates the provisions of this section, the commissioner shall issue and serve upon the licensee:

(A) A statement setting forth such violation; and

(B) A notice of a hearing to be held at a time and place fixed in such notice, which time shall not be less than thirty calendar days after the date of service of such notice.

(3) (A) The licensee shall, at the time and place fixed for the hearing in the notice issued and served upon such licensee pursuant to subdivision (2) of this subsection, have an opportunity to be heard and show cause why an order should not be entered by the Insurance Commissioner:

(i) Enforcing the provisions of this section; or

(ii) Suspending, revoking or refusing to reissue or renew any license, certificate of registration or authorization to operate the Insurance Commissioner has issued, or may issue, to such licensee.

(B) The Insurance Commissioner may, after holding a hearing pursuant to subparagraph (A) of this subdivision and in addition to or in lieu of suspending, revoking or refusing to reissue or renew any license, certificate of registration or authorization to operate the commissioner has issued, or may issue, to the licensee, impose on such licensee a civil penalty of not more than fifty thousand dollars for each violation of the provisions of this section. The commissioner may bring a civil action to recover the amount of any civil penalty that the commissioner imposes on a licensee pursuant to this subparagraph.

(g) Confidentiality. (1) (A) Except as provided in subparagraph (B) of this subdivision, documents, materials and other information in the possession, custody or control of the Insurance Department and furnished to the department by a licensee, or an employee or agent of a licensee acting on behalf of the licensee, pursuant to subdivision (9) of subsection (c) of this section or subparagraph (A)(ii), (A)(iii), (A)(iv), (A)(v), (A)(viii), (A)(x) or (A)(xi) of subdivision (2) of subsection (e) of this section, or obtained by the commissioner in an investigation or examination conducted pursuant to subsection (f) of this section, shall be confidential by law, privileged, not subject to disclosure under section 1-210, not subject to subpoena, and not subject to discovery or admission into evidence in any private civil action.

(B) The Insurance Commissioner is authorized to use all documents, materials and other information in furtherance of any regulatory or legal actions brought as a part of the commissioner's duties.

(2) Neither the Insurance Commissioner nor any person acting under the authority of the commissioner who receives documents or materials that are, or other information that is, subject to the provisions of subdivision (1) of this subsection shall be permitted or required to testify in any private civil action concerning such documents, materials or other information.

(3) The Insurance Commissioner, in order to assist the commissioner in performing the commissioner's duties under this section, may:

(A) Share documents, materials and other information, including, but not limited to, confidential and privileged documents, materials and other information subject to subdivision (1) of this subsection, with other state, federal and international regulatory agencies, the National Association of Insurance Commissioners and the affiliates and subsidiaries of said association, the Attorney General and other state, federal or international law enforcement authorities, provided the recipient of such documents, materials or other information agrees, in writing, to maintain the confidentiality and privileged status of such documents, materials or other information;

(B) Receive documents, materials and other information, including, but not limited to, otherwise confidential and privileged documents, materials and other information, from the National Association of Insurance Commissioners and the affiliates and subsidiaries of said association, the Attorney General and other domestic or foreign regulatory or law enforcement officials, provided the commissioner shall maintain as confidential and privileged all documents, materials and other information that the commissioner receives with notice or an understanding that such documents or materials are, or such other information is, confidential or privileged under the laws of the jurisdiction that is the source of such documents, materials or other information;

(C) Share documents, materials and other information subject to subdivision (1) of this subsection with a third-party consultant or vendor, provided the third-party consultant or vendor agrees, in writing, to maintain the confidentiality and privileged status of such documents, materials and other information; and

(D) Enter into agreements governing the sharing and use of documents, materials and other information, provided such agreements are consistent with the provisions of this subsection.

(4) No waiver of any applicable privilege or claim of confidentiality in a document, material or other information shall occur as a result of any disclosure of the document, material or other information to the Insurance Commissioner pursuant to this section, or as a result of any sharing of such document, material or other information authorized under subdivision (3) of this subsection.

(5) Nothing in this section shall prohibit the Insurance Commissioner from releasing final, adjudicated actions that are open to public inspection pursuant to section 1-210 to a database or other clearinghouse service maintained by the National Association of Insurance Commissioners or the affiliates or subsidiaries of said association.

(h) Private Right of Action. Nothing in this section shall be construed to create or imply a private right of action, or to affect or limit a private right of action that exists without regard to this section.

(i) Regulations. The Insurance Commissioner may adopt such regulations, in accordance with chapter 54, as are necessary to carry out the provisions of this section.

(P.A. 19-117, S. 230; 19-196, S. 8.)

History: P.A. 19-196 changed effective date of P.A. 19-117 from October 1, 2019, to October 1, 2020, effective July 8, 2019.