Bill Text: CT SB00589 | 2015 | General Assembly | Comm Sub
Bill Title: An Act Concerning The Unauthorized Access Of Consumer Data.
Spectrum: Committee Bill
Status: (Introduced - Dead) 2015-03-11 - Referred to Joint Committee on General Law [SB00589 Detail]
Download: Connecticut-2015-SB00589-Comm_Sub.html
General Assembly |
|||
January Session, 2015 |
LCO No. 5036 | ||
*05036SB00589GL_* | |||
Referred to Committee on GENERAL LAW |
|||
Introduced by: |
|||
(GL) |
|||
AN ACT CONCERNING THE UNAUTHORIZED ACCESS OF CONSUMER DATA.
Be it enacted by the Senate and House of Representatives in General Assembly convened:
Section 1. (NEW) (Effective from passage) (a) As used in this section, (1) "encrypt" means the transformation of electronic data into a form in which meaning cannot be assigned without the use of a confidential process or key, and (2) "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data: (A) A Social Security number; (B) a driver's license number or a state identification number; (C) a home address; or (D) individually identifiable health information. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
(b) Not later than July 1, 2016, each insurer, banking or financial organization, data broker that collects personal information and health care center or other entity licensed to do health insurance business in this state shall implement security technology that encrypts the personal information of consumers, insureds and enrollees that is compiled or maintained by such insurer, banking or financial organization, data broker, health care center or other entity. Any such security technology shall be updated as is necessary and practicable.
(c) Not later than seven days after receiving notice of unauthorized access to personal information by a third party, an entity listed in subsection (b) of this section shall notify each person who has had his or her personal information accessed, in writing, of such unauthorized access of his or her personal information.
(d) An entity required to notify a person of unauthorized access of his or her personal information pursuant to subsection (c) of this section shall provide such person with not less than two years of commercially available identity theft monitoring and protection at no charge to the person.
(e) The Insurance Commissioner, after consulting with the Commissioner of Consumer Protection, shall adopt regulations, in accordance with the provisions of chapter 54 of the general statutes, to implement the provisions of this section and to establish minimum standards for security technology required to be implemented pursuant to subsection (b) of this section.
This act shall take effect as follows and shall amend the following sections: | ||
Section 1 |
from passage |
New section |
Statement of Purpose:
To require insurance companies, banks and other entities to implement security technology that encrypts the personal information of consumers that is compiled or maintained by such insurance companies, banks and entities, to require the Insurance Commissioner to adopt regulations, after consulting with the Commissioner of Consumer Protection, to establish minimum standards for such security technology and to require written notification and identity theft monitoring and protection relating to unauthorized access of personal information.
[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline, except that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is not underlined.]