Last week, both Connecticut and Oregon amended their respective data security and breach notification laws that will now levy stricter requirements on entities that store or process personally identifiable information (“PII”) or health-related information.  A full analysis of each bill is below.

 Connecticut (S.B. 949)

Breach Notice

Under the new law, Connecticut will require breached entities to provide notice to individuals within 90 days of discovering a breach, although the law provides for delayed notification if the entity requires additional time to complete an investigation of the breach.  If a breach exposes Social Security numbers, Connecticut will also require breached entities to offer a year of complementary identity theft prevention and mitigation services, and the notifications must include information on signing up for these services, as well as information on placing a credit freeze.

These breach notice provisions will go into effect on October 1, 2015.

Data Security Requirements for State Contractors

The law will also impose new data security requirements on entities that contract with state agencies (“contractors”).  If a contractor receives “confidential information” — defined to include information such as name, date of birth, government-issued identification number, financial information, and any information designated as confidential — from a state agency, the contract must require the entity to implement and maintain a “comprehensive data-security program,” including the use of security policies, annual reviews of such policies, access restrictions, and mandatory security awareness training for employees.  Additionally, Connecticut will require contractors to maintain confidential information on secure servers and drives behind firewall protections and monitored by intrusion detection software.  The law will prohibit contractors from storing confidential information “on stand-alone computer or notebook hard disks or portable storage devices,” unless the contract provides otherwise and sufficient security measures are in place.

In the case of a breach, the contractor must notify the state contracting agency and the state Attorney General “as soon as practicable” following the discovery of the breach, and submit a report detailing the breach or why the contractor believes no breach occurred.  Each contract must include a proposed timeline for submitting such a report, as well as describe how the cost of breach notification and investigation will be apportioned between the contractor and state agency.  If a breach exposes education records — as defined by the federal Family Educational Rights and Privacy Act — the contractor can be subject to a five-year ban on receiving such information.

These state contractor provisions will go into effect on July 1, 2015.

Data Security Requirements for Health Insurance Industry

The law also requires health insurance entities (including health insurers, health care centers, pharmacy benefits managers, third-party administrators, and utilization review companies) to implement, maintain, and update annually a “comprehensive information security program” to protect personal information — defined to include protected health information, government-issued ID numbers, biometric data, and financial information.  For example, the information security program must include specific access controls including multi-factor authentication, encryption of confidential information in transit on the public Internet, employee education programs, risk assessments, on-boarding procedures, imposition of disciplinary measures on employees for violating the policies or procedures, and oversight of vendor data security contracts.

Under penalty of perjury, companies must certify annually to the Connecticut Insurance Department that they have complied with these requirements.  The new law grants the Connecticut Insurance Commissioner authority to enforce these provisions, although the bill does not outline what penalties may apply.

These health insurance industry provisions will go into effect on October 1, 2017.

Smartphone “Kill Switches”

The law requires all “smartphones” offered for sale in Connecticut to include hardware or software (which can be downloadable upon initial activation) that allows an authorized user to render the “essential features” of the phone inoperable to an unauthorized user.  Connecticut defines “smartphone” as any “mobile voice communications handset device” that includes all of the following features:

(1) A mobile operating system,

(2) the capability to utilize software applications, access and browse the Internet,  utilize text messaging, utilize digital voice service and send and receive electronic mail,

(3) wireless network connectivity, and

(4) the capability of operating on a long-term evolution network or on any successor wireless data communication standard.

Connecticut excludes “a telephone commonly referred to as a ‘feature’ or ‘messaging’ telephone, a laptop computer, a tablet device or a device that only has electronic reading capability” from the definition.

These smartphone provisions will go into effect on July 1, 2017.

Oregon (S.B. 601)

Under the new law, Oregon expands the definition of “personal information” — which, in addition to the previous requirements, will require mandatory notification of individuals whose compromised information includes a full name and one of the following: 

[1] Data from the automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction [also known as biometrics];

[2] A consumer’s health insurance policy number or subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or

[3] Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.

The bill requires entities to notify, in writing or electronically, the Oregon Attorney General following a breach involving more than 250 residents, and the notification must be made “in the manner described” for individual notifications.  The bill also requires consumer notifications to include “[a]dvice to the consumer to report suspected identity theft to law enforcement, including the [Oregon] Attorney General and the Federal Trade Commission.”

Lastly, the bill adds an exception to the individual notification requirements for covered entities as defined by the federal Health Insurance Portability and Accountability Act, provided that the covered entity sends a copy to the Oregon Attorney General of the notice it provides to its primary federal regulator.  In addition to the penalties under the state’s preexisting data breach notification law — including injunctive relief and penalties of up to $1,000 per violation and capped at $500,000 — the bill defines violations to be unlawful trade practices.  As a result, a prosecutor can seek injunctions and — for willful violations — civil penalties of up to $25,000 per violation.

These provisions will go into effect on January 1, 2016.

Tags: breach notification, Cybersecurity, Data Security, protected health information
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Ashden Fein Ashden Fein

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel…

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel in criminal, civil, and internal investigations involving cybersecurity, insider risk, and U.S. national security issues.

Ashden regularly counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Ashden also assists clients from across industries with leading internal investigations and responding to government inquiries related to U.S. national security and insider risks. He frequently represents government contractors in False Claims Act matters involving cybersecurity and national security. Additionally, he advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less