SB 903 - Insurance Data and Information Security

• Creates the "Insurance Data Security Law" effective October 1, 2019, establishing cybersecurity standards for Connecticut insurance licensees and requiring implementation of risk assessment and information security programs by July 1, 2020 and October 1, 2020, respectively.

• Requires licensees to notify the Insurance Commissioner within 72 hours of discovering a cybersecurity event affecting at least 250 consumers or that would materially harm consumers or business operations, and to submit detailed incident information including breach description, affected data types, remediation efforts, and consumer notification details.

• Mandates comprehensive information security safeguards including access controls, multifactor authentication, encryption of nonpublic information, audit trails, regular security testing, and incident response plans with clear roles and responsibilities for cybersecurity events.

• Imposes civil penalties of up to $50,000 per violation and grants the Insurance Commissioner authority to investigate violations and suspend or revoke licenses, with investigation materials kept confidential and privileged except for regulatory enforcement purposes.

• Exempts licensees with fewer than 10 employees, those complying with HIPAA requirements, and agents/representatives of other licensees covered by their principals' security programs; requires exempted licensees to comply within 180 days of no longer qualifying for exemption.