Meet Connecticut's New Cybersecurity Law

Arent Fox

Arent Fox

Although the Connecticut legislature was not successful in passing a privacy law similar to those passed in California, Colorado and Virginia, on June 24, 2021, the “Act Incentivizing The Adoption Of Cybersecurity Standards For Businesses” (Public Act No. 21-119 ) (“Cybersecurity Standards Act”) was passed and goes into effect on October 1, 2021.

Like many state data security laws, the Cybersecurity Standards Act requires a cybersecurity program with “reasonable” controls.  But, rather than define what is reasonable by reference to certain enumerated requirements (like the laws in neighboring states Massachusetts and New York), the Cybersecurity Standards Act includes more general requirements and what is reasonable cybersecurity is established by way of a safe harbor. Specifically, the Cybersecurity Standards Act makes available an affirmative defense to a tort claim that a business’ failure to “implement reasonable cybersecurity controls” results in a data breach. The affirmative defense is available when the action is brought under Connecticut law or in Connecticut state courts and when the defendant business can demonstrate that it conformed to one of the enumerated “industry recognized” cybersecurity frameworks.

The named frameworks are:

The affirmative defense also is available if the defendant business is subject to and conforms its cybersecurity program to any of the following federal laws:

  • Security requirements of Health Insurance Portability and Accountability Act or Health Information Technology for Economic and Clinical Health Act.
  • Title V of the Gramm-Leach-Bliley Act.
  • Federal Information Security Modernization Act

The business loses the affirmative defense if one of these laws is amended and the business does not comply with the amended version within six months after the amendment date.  The same six-month rule also applies to compliance with PCI-DSS.

The Cybersecurity Standards Act is similar to Ohio’s data security law, which offers a “safe harbor” to a tort claim that a business’ failure to “implement reasonable information security controls” results in a data breach if the business complies with one of the listed industry standards and laws.  The Ohio law gives a business one year to comply with an amendment.

Under the Cybersecurity Standards Act, the cybersecurity program must protect both “personal information” and “restricted information”.  The former - “personal information” - includes the same combination of personal information as in Connecticut’s data breach notification law (Connecticut General Statutes § 36a-701b) but adds in some new categories of identifiers, such as identity protection personal identification number issued by the Internal Revenue Service and biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina or iris image.  The latter - “restricted information” – means information (other than personal information or publicly-available information) that, “alone or in combination with other information, including personal information, can be used to distinguish or trace the individual's identity or that is reasonably linked or linkable to an individual, if the information is not encrypted, redacted or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to a person or property".

Complying with an industry data security framework is clearly beneficial under the Cybersecurity Standards Act (as well as the Ohio law) but, depending on the volume and sensitivity of a business’ information processing and available resources, the time and money needed to comply with an industry standard may outweigh the benefit.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arent Fox | Attorney Advertising

Written by:

Arent Fox

Arent Fox on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.