This post was also written by Diane Bettino.
Nearly every state in the U.S. has a statute requiring notifications upon discovery of a data security breach. Most of these laws do not mandate notification to any state authority. T hose few state laws that compel governmental notice are usually satisfied with contemporaneous notice, or notice after the fact.
That all may change, at least for entities licensed or directly regulated by state agencies. The State of Connecticut’s Department of Insurance has issued a bulletin, Bulletin IC-25.
Bulletin IC-25 envisions a much more active government role whenever a company licensed or regulated by the Department has an “information security incident”. This Bulletin applies to a variety of regulated entities, from insurers to appraisers, from bail bond agents to pharmacy benefit managers to medical discount plans.
The Bulletin requires that the business send notice of an “information security incident” no later than five calendar days after the incident is identified. As businesses who have suffered from data security breaches know, it will often take more than five calendar days to know even the basics about a potential incident.
This lightening-quick notification to the Department should include as much as possible about 15 categories of information, including the results of internal reviews and copies of the business’s privacy policies and data breach policies. If regulated companies did not have adequate incentive to have such policies in place before, they surely do now.
“The Department will want to review, in draft form, any communications proposed to be made” regarding the breach. Additionally, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time” (emphasis added). Businesses used to drafting their own communications and selecting their own remedies to offer will now be negotiating those points post-breach with a government agency.
In addition, the Department will set up a “monitoring process,” unique to each incident, to keep abreast of “activities associated with any information security incident”.
It remains to be seen whether other state regulatory agencies adopt a similar approach. However, for those who fall under the ambit of this Bulletin, it represents a sea change in the allocation of authority between government and business in the period between breach and notification.