Connecticut Extends Deadlines to Comply with Insurance Data Security Law, New York Approved as a Safe Harbor Jurisdiction

February 16, 2021
Hinshaw Privacy & Cyber Bytes

We previously reported that the Connecticut Insurance Department had issued Bulletin IC-42 to all licensees, providing guidance for compliance with the State's Insurance Data Security Law (the Act). However, in light of the impact of the COVID-19 pandemic Governor Lamont extended the effective date of the law to April 19, 2021.

The Connecticut Insurance Department has now issued Bulletin IC-43, which repeals and replaces Bulletin IC-42 and extends the deadlines for compliance with various requirements of the Act. Notably, the new deadline for nonexempt licensees to develop, implement, and maintain a comprehensive written Information Security Program is now April 19, 2021.

Due diligence must be exercised in selecting third party service providers and appropriate administrative, technical, and physical measures to protect and secure information systems and nonpublic information that are accessible to or held by third party service providers must be established by October 21, 2021.

Annual certifications by domestic insurers of compliance with the Act will be required effective February 15, 2021, although the Department will not impose sanctions for failure to file the certificate on time, provided it is filed by June 15, 2021. The Department also announced that the State of New York has been identified as a safe harbor jurisdiction. Accordingly, a certification of compliance with the New York State Department of Financial Service's Cybersecurity Regulation will be deemed sufficient for Connecticut licensees.