CT Dept. of Insurance Implements 5-Day Breach Notification Rule

Published: Aug. 27, 2010

Last Updated: Oct. 05, 2020

On August 18, 2010, the Connecticut Department of Insurance released a bulletin to its regulated entities imposing a new requirement for those entities to notify the Commissioner’s office in writing “as soon as the incident is identified, but not later than five (5) calendar days after the incident is identified.” While Connecticut has had a data breach notification statute in place for some time now, the statute only requires entities to notify “without unreasonable delay,” and does not mandate notification within a specific time frame. The bulletin lists the types of information that the notification should contain and states that the Department expects to review any proposed notifications to be made to affected individuals and may also require the entity to offer credit monitoring and/or insurance protection to affected individuals.  The bulletin also states that new reporting requirements will also apply in cases where a vendor or business associate performing services for a regulated entity suffers a breach in which personal information of Connecticut residents is compromised. A copy of the bulletin can be found here.