New Connecticut Law Incentivizes Adoption of Cybersecurity Standards

Fox Rothschild LLP

Fox Rothschild LLP

In July, Connecticut passed a largely unnoticed new law that followed in the footsteps of Ohio and Utah in limiting damages or creating affirmative defenses for business that experience a data breach after implementing a qualifying cybersecurity program (also referred to as a written information security program).

As of October 1, 2021, a Connecticut business that implements a qualifying formal written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information” prior to a data breach is immune to punitive damages in cases that allege failure to protect personal and confidential information. This new law (Public Act 21-119) enacted by the Connecticut Legislature on July 6, 2021, was created with the goal of incentivizing businesses to adopt cybersecurity standards by offering protections to those that implement the reasonable cybersecurity controls identified in the law. This law applies only to tort claims brought under Connecticut law in Connecticut state court.

Those accepted cybersecurity frameworks are the current versions of the following:

  • The “Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology
  • The National Institute of Standards and Technology’s special publication 800-171, which governs controlled unclassified information
  • The National Institute of Standards and Technology’s special publications 800-53 and 800-53a
  • The Federal Risk and Management Program’s “FedRAMP Security Assessment Framework," applicable to cloud-based services
  • The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense”
  • The “ISO/IEC 27000-series” information security standards published by the International Organization for Standardization and the International Electrotechnical Commission

Businesses that receive and process payment cardholder data are included if they also comply with one of the above frameworks and the current version of the Payment Card Industry Data Security Standard (PCI-DSS).

Connecticut businesses that are subject to certain other regulations can receive the protections afforded by the law if they comply with the following relevant cybersecurity requirements:

  • The security requirements of the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as amended from time to time, as set forth in 45 CFR 164, Subpart C, as amended from time to time
  • Title V of the Gramm-Leach-Bliley Act of 1999, P.L. 106-102, as amended from time to time
  • The Federal Information Security Modernization Act of 2014, P.L. 113-283, as amended from time to time
  • The security requirements of the Health Information Technology for Economic and Clinical Health Act, as amended from time to time, as set forth in 45 CFR 162, as amended from time to time

If the applicable cybersecurity framework with which a business has chosen to comply is amended, it will have six months to update its policies to comply.

As in Ohio and Utah, Connecticut businesses that institute a qualifying cybersecurity program under the aforementioned guidelines prior to a data breach earn the right to avoid punitive damages.

On the other hand, businesses operating in Ohio and Utah with qualifying cybersecurity programs can also take advantage of broad affirmative defenses to causes of action available under the respective law that may be brought against them following a data breach, including failure to implement reasonable cybersecurity controls, failure to appropriately respond to a data breach and failure to appropriately notify individuals of compromised personal information.

For businesses in Connecticut, Ohio and Utah, taking advantage of the benefits offered by these laws by implementing a qualifying cybersecurity program should be a priority. Additionally, these laws are a preview of where other states are heading with similar laws. Finally, having an appropriate cybersecurity program in place not only helps a business in any state assess the strength of, and detect weakness in, its cybersecurity program, but also demonstrates to regulators and jurors that the business took cybersecurity seriously if there is an unfortunate data breach.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP


  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide