Connecticut Insurance Department Publishes Bulletin on Cybersecurity

09/28/17 – The Connecticut Insurance Department published a bulletin that addresses a Connecticut law requiring health insurers, third party administrators (TPAs), and other entities to adopt a cybersecurity program.

Beginning October 1, 2017, Connecticut General Statutes, Section 38a-999b will require Connecticut entities engaged in health insurance, including insurers, TPAs, pharmacy benefit managers, and utilization review companies, to take a variety of steps to ensure that the personal information of insureds that it compiles remains safe.

The bulletin explains that the law specifies the requirements of an information security program and requires this program to be updated as necessary as practical. Entities must then certify their compliance with the law annually.

If an entity discovers a security breach, the law requires the entity to notify affected state residents of the breach and offer residents at least one year of free identity theft protection. Entities that do not comply with these requirements commit an unfair trade practice.

Connecticut Insurance Department Bulletin MC-23.

CFPB Releases Spring 2017 Rulemaking Agenda

The CFPB announced the publication its Spring 2017 rulemaking agenda.

Hot Topic: CFPB Cannot Regulate Optional Insurance Sales

Dodd-Frank limits the CFPB's jurisdiction over insurance. Though the CFPB can exercise some authority over insurance activities, their reach should not extend to optional sales by banks.

Hot Topic: A Survey of CFPB's UDAAP Actions

This summary of each enforcement action by the CFPB can help companies avoid UDAAP violations.