Almost all U.S. states and territories have enacted breach notification laws requiring private and/or government entities to notify individuals when their personal information is compromised. These laws vary, and much has been written about the challenges caused by the differences, including who must comply with the law (e.g., persons, businesses, information brokers, government entities, covered entities); definitions of “personal information” (e.g., first name or first initial and last name combined with a Social Security number, driver’s license or state ID, financial account numbers, or health information); what constitutes a breach (e.g., unauthorized acquisition of data or access to data, risk of harm); requirements for notice (e.g., timing or method of notice and who must be notified); whether notification of a state regulator (e.g., attorney general’s office) is required; and exemptions (e.g., for encrypted information). We have created a chart describing each law as well as a chart summarizing key issues. Separate and apart from these laws, eight states—California, Connecticut, Maine, New Hampshire, Ohio, Rhode Island, Vermont, Washington, and Wisconsin—have breach notification requirements that specifically apply to insurers. These breach notification requirements also vary and are discussed in detail below.
California. Under California Civil Code § 1798.82, any entity conducting business in California that owns or licenses computer data that includes personal information must disclose any data security breach to California residents whose unencrypted personal information “was, or is reasonably believed to have been, acquired by an unauthorized person.” Under that same statute, any entity required to notify more than 500 California residents must also notify the attorney general of the state of California. On May 16, 2014, and later updated on February 5, 2015, the California Insurance Department issued a notice requesting all insurers, insurance producers, and insurance support organizations to provide the insurance commissioner any notices or information submitted to the attorney general’s office. Copies of notices must be sent to the California Department of Insurance, Attention Susan Bernard, Division Chief, Field Examinations, 45 Fremont Street, 24th Floor, San Francisco, California 94105; e-mail: Susan.Bernard@insurance.ca.gov.
Connecticut. On August 10, 2010, the Connecticut Insurance Department issued Bulletin IC-25 to all licensees and registrants of the department, including insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, healthcare centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans. Bulletin IC-25 requires all registrants and licenses to notify the department of any information security incident which affects any Connecticut residents. “Information security incident” is broadly defined as “any unauthorized acquisition or transfer of, or access to, personal health, financial, or personal information, whether or not encrypted, of a Connecticut insured, member, subscriber, policyholder, or provider, in whatever form the information is collected, used or stored, which is obtained or maintained by a licensee or registrant of the Insurance Department, the loss of which could compromise or put at risk the personal, financial, or physical well-being of the affected insureds, members, subscribers, policyholders or providers.” The requirement to notify the department when information is encrypted is contrary to most existing breach notification laws, including Connecticut’s own breach notification law.