Connecticut’s state House unanimously passed legislation May 20, 2021, that would protect businesses that adopt cybersecurity measures. House Bill 6607 promotes the adoption of defined cybersecurity frameworks by preventing a company from being liable for punitive damages in the event of a data breach.

This legislation would shield companies that enacted such policies from legal liability if their customers’ data is exposed in a cyber attack. Businesses that conform to one of the approved frameworks would be able to use that compliance as an affirmative defense in state courts. That means a company sued over a cyber attack in Connecticut courts could escape legal liability if it proves its cyber practices meet the standards the law prescribes.

The frameworks well recognized by the cybersecurity community and approved for this legislation include the current version of or any combination of the current versions of: The “Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology (also known as the NIST Cybersecurity Framework); The National Institute of Standards and Technology’s special publication 800-171; The National Institute of Standards and Technology’s special publications 800-53 and 800-53a; The Federal Risk and Management Program’s “Fed RAMP Security Assessment Framework”; The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense”; The “ISO/IEC 27000-series” information security standards published by the International Organization for Standardization and the International Electrotechnical Commission.

Reasons for this legislation

“This legislation is critical for protecting our most vulnerable industries from the increasing threat of cyberattacks.” Quoted by State Rep. Caroline Simmons

According to a 2018 CBIA survey, nearly one-quarter of Connecticut businesses experienced a data breach or cyberattack in the previous two years. And 90% of those were small businesses with less than 100 employees.

Additionally, a large contributing factor is due to the pandemic forcing people to increasingly rely on virtual options for remote communication and transactions. As a result, cybersecurity has emerged as an increasing concern. The FBI’s Internet Crime Complaint Center recently said it received a record number of cybersecurity complaints from Americans last year (791,790) with reported losses exceeding $4.1 billion. It was an increase of more than 300,000 complaints compared to 2019.

What this means for your CT business

In addition to House Bill 6607, another CT House Bill was signed on June 16, 2021. House Bill 5310 changes Connecticut’s data breach law effective October 1, 2021. In this legislation, the definition of personal information is expanding substantially, the data breach notification timeframe is shrinking from 90 to 60 days, and an organization no longer needs to be doing business in CT to be subject to the law.

With these two new legislations, the need for a cybersecurity program is becoming a necessity for small and medium sized businesses. We suggest adopting a program in alignment with one of the nationally recognized frameworks as mentioned in the bill.

To assist you in this transition, we are offering a National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) Gap Analysis at no cost. In this analysis, we will review the five core tenets of the framework in comparison to your current policies, procedures, and processes. After the analysis, we will provide you a remediation plan with steps to better your organization in alignment with the NIST CSF.