Take These Steps to Avoid Huge Fines if You Get Breached

Nov 16, 2021 | Cyber Awareness, NIST CSF

New State Fines

New Law Protects CT Firms that Adopt Cybersecurity Controls

The likelihood of experiencing a data breach may be higher than you think.  While it’s true some industries are more susceptible than others, the biggest mistake companies can make about cybersecurity is assuming they don’t need it or they aren’t a target. If the consequences of a data breach aren’t convincing enough for your organization to implement a cybersecurity framework, these state fines may be. The following are the penalties for violations Connecticut organizations can face:

Non Civil

1st offense: $100 per willful violation

2nd offense: 500 per willful violation

3rd and subsequent offenses: $1,000 and or 6 months imprisonment

Civil

$500 per willful violation, to a maximum of $500,000 for any single event.

*Penalties shall be deposited into the CT privacy protection guaranty & enforcement account.

Fortunately, you can avoid all of this due to a new law here in Connecticut.

As of October 1st, a new law has gone into effect in Connecticut that prevents state courts from penalizing businesses hit by a data breach, so long as the organization has previously implemented cybersecurity controls. The law, named “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” largely speaks for itself.

The law aims to reward businesses that create and maintain a written cybersecurity program including administrative, technical and physical safeguards to protect both personal information, as well as confidential business data. Those that do not have cybersecurity controls in place, on the other hand, can face fines. The goal behind this incentive is that businesses that have done what they can to protect their customers and systems should and will not be fined.

Connecticut Data Privacy Statute

The law follows a data privacy statute Connecticut’s state legislature approved in June of 2021 to update and fortify its existing breach notification laws. The “Act Concerning Data Privacy Breaches” broadens the definition of personal information including medical information, online account information, passport numbers, military identification and health insurance account numbers.

Accepted Cybersecurity Frameworks

The following are accepted frameworks organizations can have that dismiss them from being fined, should a breach occur:

    • The National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF)
    • The National Institute of Standards and Technology’s special publication 800-171, which governs controlled unclassified information
    • The National Institute of Standards and Technology’s special publications 800-53 and 800-53a
    • The Federal Risk and Management Program’s “FedRAMP Security Assessment Framework” applicable to cloud-based services
    • The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense”
    • The “ISO/IEC 27000-series” Information security standards published by the International Organization for Standardization and the International Electrotechnical Commission

The law also extends to businesses that handle payment cardholder data if they comply with the current version of the Payment Card Industry Data Security Standard (PCI-DSS) and the current version of one of the above frameworks. Businesses regulated by the following frameworks are also eligible to benefit from the law where their programs conform to the relevant cybersecurity requirements:

    • HIPPA Security Rule
    • Title V of the Gramm-Leach-Bliley Act (GLBA)
    • The Federal Information Security Modernization Act (FISMA)

Security Breach Notifications

Businesses should also be aware of the new requirements if they suffer a security breach. The deadline for reporting a security breach was shortened from 90 days to 60 days. Furthermore, in the event a business is unable to confirm the identities and provide notice to all users impacted by a security breach must provide preliminary notice to all potentially impacted individuals within 60 days.

This law is the latest in a growing list of state and national-level legislation that incentivizes organizations who used recognized cybersecurity frameworks to safeguard their data. This further substantiates that organizations should take their cybersecurity seriously to avoid hefty fines, and keep their customer’s and critical organizational information secure.