Connecticut Incentivizes Cybersecurity
Connecticut became the latest state to provide an incentive for private entities to adopt cybersecurity frameworks and a safe-harbor from private causes of action resulting from cyber breaches. The state joins Ohio and Utah in providing such protections under its Cybersecurity Standards Act.
The law provides protections to businesses from punitive damages in actions which allege that the company failed to implement reasonable cybersecurity controls, where those failures result in a data breach. The protection is afforded if the company proves:
- The company created, maintained, and complied with a written cybersecurity program;
- The program contains administrative, technical and physical safeguards; and
- The program conforms to an industry recognized cybersecurity framework.
The law is very flexible in that companies may adopt one of many different cybersecurity frameworks including NIST’s Framework for Improving Critical Infrastructure Cybersecurity, NIST 800-171, NIST 800-53, FedRAMP, ISO/IEC 27000-series, among others. Further, as these frameworks are updated, companies are allowed six months to update their own policies to reflect the new framework requirements.
The law also allows companies the flexibility to “right size” the frameworks based on four factors: the size of the company; the nature and the scope of the company; the sensitivity of the information being protected; and the cost or availability tools to reduce vulnerabilities and improve security. Thus, a framework such as NIST 800-53 may be too difficult to implement in a small organization, but a small company is allowed to down-size or reduce the requirements of the framework based on the size and complexity of the organization without compromising the protections afforded by this statute.
The statute’s true purpose, however, is not to provide protections from punitive damages for private entities; the true purpose is to promote the adoption of cyber security controls. Proactively adopting cybersecurity frameworks helps companies recover from an attack, save money in responding to an attack, and now also protects companies from punitive damages in private causes of action. And, encouraging the adoption of cybersecurity frameworks ultimately protects us all.
 State of Connecticut, Public Act No. 21-119, see https://cga.ct.gov/2021/ACT/PA/PDF/2021PA-00119-R00HB-06607-PA.PDF.