Last week, both Connecticut and Oregon amended their respective data security and breach notification laws that will now levy stricter requirements on entities that store or process personally identifiable information (“PII”) or health-related information.  A full analysis of each bill is below.

 Connecticut (S.B. 949)

Breach Notice

Under the new law, Connecticut will require breached entities to provide notice to individuals within 90 days of discovering a breach, although the law provides for delayed notification if the entity requires additional time to complete an investigation of the breach.  If a breach exposes Social Security numbers, Connecticut will also require breached entities to offer a year of complementary identity theft prevention and mitigation services, and the notifications must include information on signing up for these services, as well as information on placing a credit freeze.

These breach notice provisions will go into effect on October 1, 2015.

Data Security Requirements for State Contractors

The law will also impose new data security requirements on entities that contract with state agencies (“contractors”).  If a contractor receives “confidential information” — defined to include information such as name, date of birth, government-issued identification number, financial information, and any information designated as confidential — from a state agency, the contract must require the entity to implement and maintain a “comprehensive data-security program,” including the use of security policies, annual reviews of such policies, access restrictions, and mandatory security awareness training for employees.  Additionally, Connecticut will require contractors to maintain confidential information on secure servers and drives behind firewall protections and monitored by intrusion detection software.  The law will prohibit contractors from storing confidential information “on stand-alone computer or notebook hard disks or portable storage devices,” unless the contract provides otherwise and sufficient security measures are in place.

In the case of a breach, the contractor must notify the state contracting agency and the state Attorney General “as soon as practicable” following the discovery of the breach, and submit a report detailing the breach or why the contractor believes no breach occurred.  Each contract must include a proposed timeline for submitting such a report, as well as describe how the cost of breach notification and investigation will be apportioned between the contractor and state agency.  If a breach exposes education records — as defined by the federal Family Educational Rights and Privacy Act — the contractor can be subject to a five-year ban on receiving such information.

These state contractor provisions will go into effect on July 1, 2015.

Data Security Requirements for Health Insurance Industry

The law also requires health insurance entities (including health insurers, health care centers, pharmacy benefits managers, third-party administrators, and utilization review companies) to implement, maintain, and update annually a “comprehensive information security program” to protect personal information — defined to include protected health information, government-issued ID numbers, biometric data, and financial information.  For example, the information security program must include specific access controls including multi-factor authentication, encryption of confidential information in transit on the public Internet, employee education programs, risk assessments, on-boarding procedures, imposition of disciplinary measures on employees for violating the policies or procedures, and oversight of vendor data security contracts.

Under penalty of perjury, companies must certify annually to the Connecticut Insurance Department that they have complied with these requirements.  The new law grants the Connecticut Insurance Commissioner authority to enforce these provisions, although the bill does not outline what penalties may apply.

These health insurance industry provisions will go into effect on October 1, 2017.

Smartphone “Kill Switches”

The law requires all “smartphones” offered for sale in Connecticut to include hardware or software (which can be downloadable upon initial activation) that allows an authorized user to render the “essential features” of the phone inoperable to an unauthorized user.  Connecticut defines “smartphone” as any “mobile voice communications handset device” that includes all of the following features:

(1) A mobile operating system,

(2) the capability to utilize software applications, access and browse the Internet,  utilize text messaging, utilize digital voice service and send and receive electronic mail,

(3) wireless network connectivity, and

(4) the capability of operating on a long-term evolution network or on any successor wireless data communication standard.

Connecticut excludes “a telephone commonly referred to as a ‘feature’ or ‘messaging’ telephone, a laptop computer, a tablet device or a device that only has electronic reading capability” from the definition.

These smartphone provisions will go into effect on July 1, 2017.

Oregon (S.B. 601)

Under the new law, Oregon expands the definition of “personal information” — which, in addition to the previous requirements, will require mandatory notification of individuals whose compromised information includes a full name and one of the following: 

[1] Data from the automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction [also known as biometrics];

[2] A consumer’s health insurance policy number or subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the consumer; or

[3] Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer.

The bill requires entities to notify, in writing or electronically, the Oregon Attorney General following a breach involving more than 250 residents, and the notification must be made “in the manner described” for individual notifications.  The bill also requires consumer notifications to include “[a]dvice to the consumer to report suspected identity theft to law enforcement, including the [Oregon] Attorney General and the Federal Trade Commission.”

Lastly, the bill adds an exception to the individual notification requirements for covered entities as defined by the federal Health Insurance Portability and Accountability Act, provided that the covered entity sends a copy to the Oregon Attorney General of the notice it provides to its primary federal regulator.  In addition to the penalties under the state’s preexisting data breach notification law — including injunctive relief and penalties of up to $1,000 per violation and capped at $500,000 — the bill defines violations to be unlawful trade practices.  As a result, a prosecutor can seek injunctions and — for willful violations — civil penalties of up to $25,000 per violation.

These provisions will go into effect on January 1, 2016.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.