New CT Cybersecurity Law Protects Against Liability For Data Breaches

Rivkin Radler LLP
Contact

Rivkin Radler LLP

Connecticut Governor Ned Lamont recently signed into law “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (Public Act No. 21-119). Under the Act, “covered entities” that implement certain cybersecurity measures to protect against data breaches of “personal information” and “restricted information” will be insulated against the imposition of punitive damages arising from tort claims alleging that the “covered entity” failed to implement reasonable cybersecurity measures.

The Act defines “covered entity” as any “business that accesses, maintains, communicates or processes personal information or restricted information in or through one or more systems, networks or services located in or outside” Connecticut. “Personal information” includes an individual’s name coupled with a social security number, credit or debit card number, financial account number along with that account’s password or security code, medical information, health insurance policy information, or certain other types of data. “Personal information” also includes an individual’s user name or email address, plus the password or security answer that grants access to that online account. “Restricted information” means any information about an individual that can be used to distinguish or trace the individual’s identity or that is reasonably linked or linkable to an individual.

To comply with the Act and receive its protection, businesses must implement an “industry recognized” cybersecurity program, such as those promulgated by the National Institute of Standards and Technology or the Payment Card Industry Data Security Standard, among others. The Act will protect businesses regulated by HIPAA, the HITECH Act, or certain other laws, so long as the business is compliant with the applicable law.

If a business does not maintain one of the above cybersecurity programs, it can still be protected by the Act if its cybersecurity program protects the security and confidentiality of personal and restricted information; protects against any threats or hazards to the security of personal and restricted information; and protects against unauthorized access to personal and restricted information. In determining whether a business’s cybersecurity accomplished these goals, four factors must be considered: the size and complexity of the covered entity; the nature and scope of its activities; the sensitivity of the information to be protected; and the cost and availability of tools to improve information security and reduce vulnerabilities.

The Act will become effective on October 1, 2021.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rivkin Radler LLP | Attorney Advertising

Written by:

Rivkin Radler LLP
Contact
more
less

Rivkin Radler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.