General Assembly Substitute Bill No. 5346
February Session, 2016 *_____HB05346PH____032216____*
General Assembly
Substitute Bill No. 5346
February Session, 2016
*_____HB05346PH____032216____*
AN ACT CONCERNING STATE AGENCY CONFIDENTIALITY BASED ON A PROGRAM REVIEW AND INVESTIGATIONS COMMITTEE STUDY.
Be it enacted by the Senate and House of Representatives in General Assembly convened:
Section 1. (NEW) (Effective from passage) (a) For purposes of this section: (1) "Confidential information" has the same meaning as provided in section 4e-70 of the general statutes; and (2) "confidential information breach" means an instance where an unauthorized person or entity accesses confidential information in any manner, including, but not limited to, the following occurrences: (A) Any confidential information that is not encrypted or secured by any other method or technology that renders the confidential information unreadable or unusable is misplaced, lost, stolen or subject to unauthorized access; (B) one or more third parties have accessed, or taken control or possession of, without prior written authorization from the state, (i) any confidential information that is not encrypted or protected, or (ii) any encrypted or protected confidential information together with the confidential process or key that is capable of compromising the integrity of the confidential information; or (C) there is a substantial risk of identity theft or fraud.
(b) Not later than October 1, 2016, the Commissioner of Public Health shall develop and implement the use of a confidentiality pledge for employees of the Department of Public Health concerning the use and disclosure of confidential information. The confidentiality pledge shall notify each employee of his or her responsibilities concerning the use and disclosure of confidential information and potential consequences for the misuse of such information or data under applicable statutes, regulations and department policies. The commissioner shall ensure that each employee of the department receives and signs the confidentiality pledge on or before January 1, 2017, or, if hired after said date, on the first day of such employee's employment with the department. The commissioner shall review and revise the confidentiality pledge as the commissioner deems necessary. Each employee of the department shall receive and sign any revised confidentiality pledge not later than fifteen days after the date of any such revision.
(c) Not later than December 1, 2016, the Commissioner of Public Health, in consultation with the Secretary of the Office of Policy and Management, shall develop and implement internal policies to protect confidential information obtained or generated by the department from a confidential information breach. Such policies shall include, but need not be limited to, processes to: (1) Identify computer system vulnerabilities to a confidential information breach and eliminate or reduce such vulnerabilities; (2) identify the occurrence of any confidential information breach; (3) classify the severity of a confidential information breach; (4) limit or contain the disclosure of confidential information in the event of a confidential information breach; (5) document each incident of a confidential information breach; and (6) notify affected parties in the event of a confidential information breach. Not later than December 31, 2016, the Commissioner of Public Health shall submit a copy of such policies to the joint standing committee of the General Assembly having cognizance of matters relating to public health.
Sec. 2. (NEW) (Effective from passage) (a) For purposes of this section: (1) "Confidential information" has the same meaning as provided in section 4e-70 of the general statutes; and (2) "confidential information breach" means an instance where an unauthorized person or entity accesses confidential information in any manner, including, but not limited to, the following occurrences: (A) Any confidential information that is not encrypted or secured by any other method or technology that renders the confidential information unreadable or unusable is misplaced, lost, stolen or subject to unauthorized access; (B) one or more third parties have accessed, or taken control or possession of, without prior written authorization from the state, (i) any confidential information that is not encrypted or protected, or (ii) any encrypted or protected confidential information together with the confidential process or key that is capable of compromising the integrity of the confidential information; or (C) there is a substantial risk of identity theft or fraud.
(b) Not later than October 1, 2016, the Commissioner of Consumer Protection shall develop and implement the use of a confidentiality pledge for employees of the Department of Consumer Protection concerning the use and disclosure of confidential information. The confidentiality pledge shall notify each employee of his or her responsibilities concerning the use and disclosure of confidential information and potential consequences for the misuse of such information or data under applicable statutes, regulations and department policies. The commissioner shall ensure that each employee of the department receives and signs the confidentiality pledge on or before January 1, 2017, or, if hired after said date, on the first day of such employee's employment with the department. The commissioner shall review and revise the confidentiality pledge as the commissioner deems necessary. Each employee of the department shall receive and sign any revised confidentiality pledge not later than fifteen days after the date of any such revision.
(c) Not later than December 1, 2016, the Commissioner of Consumer Protection, in consultation with the Secretary of the Office of Policy and Management, shall develop and implement internal policies to protect confidential information obtained or generated by the department from a confidential information breach. Such policies shall include, but need not be limited to, processes to: (1) Identify computer system vulnerabilities to a confidential information breach and eliminate or reduce such vulnerabilities; (2) identify the occurrence of any confidential information breach; (3) classify the severity of a confidential information breach; (4) limit or contain the disclosure of confidential information in the event of a confidential information breach; (5) document each incident of a confidential information breach; and (6) notify affected parties in the event of a confidential information breach. Not later than December 31, 2016, the Commissioner of Consumer Protection shall submit a copy of such policies to the joint standing committee of the General Assembly having cognizance of matters relating to consumer protection.
This act shall take effect as follows and shall amend the following sections:
Section 1 from passage New section
Sec. 2 from passage New section
This act shall take effect as follows and shall amend the following sections:
Section 1
from passage
New section
Sec. 2
from passage
New section
Statement of Legislative Commissioners:
In Section 1(b) and Section 2(b), "such revision" was changed to "any such revision" for clarity; in Section 1(c)(1) and Section 2(c)(1) "confidential data breach" was changed to "confidential information breach" for internal consistency; and, in Section 2(c), "matters relating to general law" was changed to "matters relating to consumer protection" for statutory consistency.
PRI Joint Favorable Subst. C/R PH
PH Joint Favorable Subst.-LCO
PRI
Joint Favorable Subst. C/R
PH
PH
Joint Favorable Subst.-LCO