Bulletin IC-18

September 16, 2008

Effective October 1, 2008, a new Connecticut Law (Public Act No. 08-167) requires all persons and entities who hold a license, registration, or certificate issued by a Connecticut state agency, including the Insurance Department, to meet the following requirements:

1. Any person in possession of Personal Information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files, and documents prior to disposal.
   
   As defined in the law, “Personal Information” means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
2. Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. As defined in the law, “publicly displayed” includes, but is not limited to, posting on an Internet web page. Such policy shall: (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

This new law supplements an existing law on display and use of Social Security numbers (Section 42-470 of the Connecticut General Statutes), which, among other provisions, prohibits the use of Social Security numbers on identification cards used by individual and group health insurers.

In addition to the requirements under this new Public Act 08-167, and under Section 42-470 noted above, the Department also wants to remind persons and entities with a license or registration from the Department of existing requirements concerning the privacy of consumer financial information (contained in Sections 38a-8-105 through 38a-8-123 of the Connecticut Insurance Department Regulations) and safeguarding customer financial information (contained in Sections 38a-8-124 through 38a-8-126 of the Connecticut Insurance Department Regulations). “Licensee” is defined in the Regulations to mean: “… any licensed insurers, producers, or other persons licensed, required to be licensed, authorized, required to be authorized, registered or required to be registered pursuant to Title 38a of the Connecticut General Statutes…”

Connecticut also has in effect an Insurance Information and Privacy Protection Act (Sections 38a-975 through 38a-999a of the Connecticut General Statutes) which contains requirements for insurance institutions, agents, and insurance support organizations as defined in the Act.

Furthermore, many persons and entities are also subject to federal requirements concerning privacy, including the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.

The Department strongly urges persons and entities holding a license, registration, or certificate from the Department to review their current policies on handling Social Security numbers and other personal information related to Connecticut consumers and to make appropriate changes, if necessary, to ensure compliance with Connecticut’s requirements.

The Department has the authority to fine and take other appropriate enforcement activity against persons or entities who are non-compliant with the Connecticut requirements cited herein.

Thomas R. Sullivan, Insurance Commissioner

Print Bulletin IC-18