New Connecticut law incentivizes better cyber measures through litigation safe harbor

Connecticut has become the third state (hello Ohio and Utah) to enact a cyber safe harbor law, providing an affirmative defense for qualifying businesses against tort claims based on an alleged failure to implement reasonable cyber security standards following a data breach. The Connecticut Cybersecurity Standards Act (CT Public Act 21-119), signed by Governor Lamont on July 15, 2021, is aimed at encouraging the implementation of cybersecurity measures and protecting business entities that do so from punitive damages in data breach litigation.

To qualify for protection, which per the statute expressly prohibits the Connecticut Superior Court from assessing punitive damages against the entity, covered businesses must create, maintain and comply with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal information. Importantly, the law requires the entities’ written cybersecurity program to conform to an “industry recognized cybersecurity framework”. Frameworks identified by the law include:

  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework, and NIST publications 800-053, 800-053a, and 800-171;
  • The Federal Risk and Management Program’s FedRAMP Security Assessment Framework; and
  • The Center for Internet Security’s Security Controls for Effective Cyber Defense.

Additionally, any covered entity currently regulated under HIPAA or Gram-Leach-Bliley, that is in compliance with the cybersecurity programs under those laws, will also be given safe harbor.

Covered entities for the purpose of this law are businesses in Connecticut that access, maintain, communicate or process personal information or restricted information through systems located in or outside of Connecticut. The law acknowledges that considerations of business size, nature of activities, sensitivity of protected information and the cost of cybersecurity tools are all relevant.   The law’s definition of personal information is typical of state breach notification laws and includes a first name or first initial and last name in combination with one or more variables that are commonly thought of as personal. Significantly, biometric information such as fingerprints, voice prints or retina scans are also included as variables, acknowledging the widespread use of biometric data in consumer technology and capturing personal information that may only consist of a consumer’s name and their fingerprint, and not an address or social security number.

Governor Lamont framed the law as both pro-business and pro-consumer, saying that it will ensure Connecticut is “operating in the most business friendly ways and also improving the security of consumers’ data.” It will go into effect on October 1, 2021, giving businesses a few months to prepare.

You may contact us if you have any questions.