Friday, May 15, 2015

Crisco leads passage of cybersecurity protections

HARTFORD - Following through on their promise to improve consumer privacy protections following a major data breach at one of Connecticut’s largest insurers, Senate Democrats led passage Thursday of major legislation that arose out of the Anthem data breach earlier this year. 
State Sen. Joseph J. Crisco

In February, Anthem announced that the company’s IT systems were hacked in a major data breach. 
More than 80 million people nationally, including more than 1.7 million in Connecticut, were made vulnerable by the breach. 

Information stolen included data about current and former customers, such as: names, birthdays, medical IDs, Social Security numbers, street addresses, e-mail address, employment information, and some income data.

“This bill has far-reaching ramifications for consumer privacy in Connecticut,” said state Sen. Joseph J. Crisco, Jr., D-Woodbridge, Chair of the Insurance and Real Estate Committee. 
“This is what the General Assembly is all about—protecting the safety and security of Connecticut citizens and doing so in a responsible manner. This is a major victory for consumer protection in Connecticut.”

“The hackers who executed the Anthem data breach perpetrated a crime on a grand scale,” said Senate President Martin M. Looney, D-New Haven. “This bill redoubles our efforts to ensure that all health insurance records are protected from criminal actors targeting personal information.”

The bill requires health insurance companies to set up protocols to ensure that customers’ most private data is kept secure; specifically, this data includes an individual’s first name in combination with such things as a social security number, credit card or debit card number, and protected health information as defined in federal law.

Companies must develop a comprehensive information security program to safeguard the personal information of their enrollees. This program will require that only personnel who need access to personal information should have it, that companies monitor their security systems for breaches, that they offer employee education and training on the proper use of the company’s information technology systems, and that they encrypt all data in transit—whether over the internet, on a laptop, or a flash drive.

Employees with access to vast amounts of confidential, personal data must use multi-factor authentication—a password and at least one additional type of authentication to get access to personal data. 
Additionally, companies must designate someone to be in charge of cyber security, report a security breach within 30 days, and provide credit monitoring to the victims of any breach.


This is a press release from Crisco's office.  

No comments:

Post a Comment