Connecticut Becomes The Latest State To Modify Its Data Breach Laws – Is Your Business Affected?
Beginning in 2002, California passed the first data breach notification law in the United States, and since then, the remaining 49 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted data breach notification legislation. Following the passage of these laws, many jurisdictions have modified and updated their regulatory framework. Recently, Connecticut’s governor signed both HB 5310 (An Act Concerning Data Privacy Breaches) and HB 6607 (An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses) into law.
Under Connecticut law, any person, business, or agency that conducts business in Connecticut and who, in the ordinary course of such business, owns, licenses, or maintains computerized data that includes personal information (PI) must comply with Connecticut data breach laws, as a “covered entity”.
While there are impactful changes in HB 5310 that create more restrictive timelines and compliance requirements in the event of a data incident involving Connecticut resident PI, the most unique change seen was the creation of a cybersecurity safe harbor framework by HB 6607, which is an interesting twist added to a data breach law.
Connecticut Cybersecurity Safe Harbor Framework
HB 6607 does not impose a regulatory requirement upon covered entities but instead offers an incentive to such entities if they meet certain criteria in their cybersecurity programs. The incentive being offered is the protection from punitive damages in any data breach tort lawsuit alleging the failure to implement reasonable cybersecurity controls. In order to be provided protection through this “safe harbor”, covered entities must meet two requirements:
First, the entity’s cybersecurity program must conform with an industry-recognized cybersecurity framework, which include:
- The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity
- NIST’s special publications 800-53 and 800-53a
- The Federal Risk and Management Program’s FedRAMP Security Assessment Framework
- The Center for Internet Security’s Center for Internet Security Critical Security Controls for Effective Cyber Defense
- The ISO/IEC 27000-series standards published by the International Organization for Standardization and the International Electrotechnical Commission
Second, the entity must adopt a cybersecurity program that meets the following requirements:
- Protects the security and confidentiality of PI and restricted information.
- Protects against any threats or hazards to the security or integrity of PI and restricted information.
- Protects against unauthorized access to and acquisition of the PI and restricted information that would result in a material risk of identity theft or other fraud to the individual whom the information relates.
- The scale and scope of the entity's cybersecurity program shall be based on the following factors: (A) the size and complexity of the covered entity; (B) the nature and scope of the activities of the covered entity; (C) the sensitivity of the information to be protected; and (D) the cost and availability of tools to improve information security and reduce vulnerabilities
Once HB 6607 goes into effect, a covered entity complying with the safe harbor framework will be provided a near-absolute shield from punitive damages in any data breach tort lawsuit that alleges a failure to implement reasonable cybersecurity controls.
So What Now?
Both HB 5310 and HB 6607 will go into effect on October 1, 2021. In the meantime, entities who satisfy the definition of a “covered entity” should perform an assessment to determine if they will adopt an industry-recognized cybersecurity framework in order to reap the benefits of the new safe harbor.
To learn more about new and emerging regulatory requirements surrounding cybersecurity, the handling of data, and implementing a compliant cybersecurity framework, contact a member of McGrath North’s Privacy and Cybersecurity Team today. Our data privacy and cybersecurity experts can assist you in preparing a comprehensive, tailored, and proactive compliance plan to best protect you and your business.