technology circuit board

On July 6, 2021, Connecticut enacted a new law (Public Act 21-119) that creates a safe harbor for companies that followed certain cybersecurity protocols in the event there’s a security breach.

The new Connecticut law is similar to the one Ohio enacted in 2018.  Both laws apply to “covered entities” that possess “personal information” and suffer a “breach of security of the system” under that state’s data breach notification law.  Both states have created incentives for companies to follow nationally recognized cybersecurity standards, by granting a “safe harbor” against certain state tort law claims in their states.  The Connecticut law, however, is more detailed than the Ohio law, and its key paragraph is subsection (b):

In any cause of action founded in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information, the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework, as described in subsection (c) of this section and that such covered entity designed its cybersecurity program in accordance with the provisions of subsection (d) of this section. The provisions of this subsection shall not apply if such failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.

(In contrast, the Ohio law provides a company with an affirmative defense if an allegation is made that the “failure to implement reasonable security controls” resulted in the breach but the company was in compliance with a recognized cybersecurity standard at that time.)

The Connecticut law lists several standards that would meet the requirements of the new law, including:

  1. Three different NIST standards,
  2. FedRAMP,
  3. ISO2700 series,
  4. The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense,”
  5. HIPAA
  6. Gramm-Leach-Bliley

For those subject to PCI-DSS standards, the safe harbor will apply if the company complies with one of the first four standards listed above, plus the current version of PCI-DSS (with six months to get into compliance with any revision to PCI-DSS).

Both the Ohio and Connecticut laws recognize that cybersecurity programs may vary based upon the size and nature of the company:  The Connecticut law states:

The scale and scope of a covered entity’s cybersecurity program shall be based on the following factors: (A) the size and complexity of the covered entity; (B) the nature and scope of the activities of the covered entity; (C) the sensitivity of the information to be protected; and (D) the cost and availability of tools to improve information security and reduce vulnerabilities.

The new Connecticut law goes into effect on October 1, 2021.