In July, Connecticut passed a largely unnoticed new law that followed in the footsteps of Ohio and Utah in limiting damages or creating affirmative defenses for business that experience a data breach after implementing a qualifying cybersecurity program (also referred to as a written information security program).
As of October 1, 2021, a Connecticut business that implements a qualifying formal written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information” prior to a data breach is immune to punitive damages in cases that allege failure to protect personal and confidential information. This new law (Public Act 21-119) enacted by the Connecticut Legislature on July 6, 2021, was created with the goal of incentivizing businesses to adopt cybersecurity standards by offering protections to those that implement the reasonable cybersecurity controls identified in the law. This law applies only to tort claims brought under Connecticut law in Connecticut state court.
Those accepted cybersecurity frameworks are the current versions of the following:
- The “Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology
- The National Institute of Standards and Technology’s special publication 800-171, which governs controlled unclassified information
- The National Institute of Standards and Technology’s special publications 800-53 and 800-53a
- The Federal Risk and Management Program’s “FedRAMP Security Assessment Framework," applicable to cloud-based services
- The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense”
- The “ISO/IEC 27000-series” information security standards published by the International Organization for Standardization and the International Electrotechnical Commission
Businesses that receive and process payment cardholder data are included if they also comply with one of the above frameworks and the current version of the Payment Card Industry Data Security Standard (PCI-DSS).
Connecticut businesses that are subject to certain other regulations can receive the protections afforded by the law if they comply with the following relevant cybersecurity requirements:
- The security requirements of the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as amended from time to time, as set forth in 45 CFR 164, Subpart C, as amended from time to time
- Title V of the Gramm-Leach-Bliley Act of 1999, P.L. 106-102, as amended from time to time
- The Federal Information Security Modernization Act of 2014, P.L. 113-283, as amended from time to time
- The security requirements of the Health Information Technology for Economic and Clinical Health Act, as amended from time to time, as set forth in 45 CFR 162, as amended from time to time
If the applicable cybersecurity framework with which a business has chosen to comply is amended, it will have six months to update its policies to comply.
As in Ohio and Utah, Connecticut businesses that institute a qualifying cybersecurity program under the aforementioned guidelines prior to a data breach earn the right to avoid punitive damages.
On the other hand, businesses operating in Ohio and Utah with qualifying cybersecurity programs can also take advantage of broad affirmative defenses to causes of action available under the respective law that may be brought against them following a data breach, including failure to implement reasonable cybersecurity controls, failure to appropriately respond to a data breach and failure to appropriately notify individuals of compromised personal information.
For businesses in Connecticut, Ohio and Utah, taking advantage of the benefits offered by these laws by implementing a qualifying cybersecurity program should be a priority. Additionally, these laws are a preview of where other states are heading with similar laws. Finally, having an appropriate cybersecurity program in place not only helps a business in any state assess the strength of, and detect weakness in, its cybersecurity program, but also demonstrates to regulators and jurors that the business took cybersecurity seriously if there is an unfortunate data breach.