Connecticut sets up safe haven from cybersecurity breaches
On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe haven for companies that followed certain cybersecurity protocols in the event of a security breach.
Connecticut’s new law is similar to that enacted by Ohio in 2018. Both laws apply to âcovered entitiesâ that possess âpersonal informationâ and are experiencing a âsystem security breachâ under the that state’s data breach notification law. Both states have urged companies to follow nationally recognized cybersecurity standards, granting a “safe harbor” against certain tort claims in their states. Connecticut law, however, is more detailed than Ohio law, and its key paragraph is subsection (b):
In any tort cause of action brought under the laws of that State or in the courts of that State that alleges that the failure to implement reasonable cybersecurity controls has resulted in a data breach involving personal information or restricted information, the Superior Court should not assess punitive damages against a covered entity if that entity has created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal information or restricted and that complies with an industry-recognized cybersecurity framework as described in subsection (c) of this section and that such covered entity has designed its cybersecurity program in accordance with the provisions of subsection (c) of this section. section (d) of this section. The provisions of this subsection do not apply if such failure to implement reasonable cybersecurity controls is the result of gross negligence or willful or gratuitous conduct.
(In contrast, Ohio law gives a company an affirmative defense if an allegation is made that “failure to implement reasonable security controls” resulted in the violation but the company was in compliance. with a recognized cybersecurity standard at that time.)
Connecticut law lists several standards that would meet the requirements of the new law, including:
- Three different NIST standards,
- ISO2700 series,
- The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber ââDefense”
For those subject to PCI-DSS, the Safe Harbor will apply if the company complies with any of the first four standards listed above, as well as the current version of PCI-DSS (with six months to comply with any PCI-DSS revision). DSS).
Ohio and Connecticut laws recognize that cybersecurity programs can vary depending on the size and nature of the business: Connecticut law states:
The scale and scope of a Covered Entity’s cybersecurity program should be based on the following factors: (A) the size and complexity of the Covered Entity; (B) the nature and extent of the activities of the covered entity; (C) the sensitivity of the information to be protected; and (D) the cost and availability of tools to improve information security and reduce vulnerabilities.
Connecticut’s new law comes into effect on October 1, 2021.