Did you know Connecticut enacted a new cybersecurity law this month? Connecticut joined Ohio and Utah as one of just three states with legislation providing Safe Harbor protection against punitive damages when companies are sued for the consequences of a cyber breach.
Connecticut Public Act No. 21-119 went into effect on October 1st. Titled “An Act Incentivizing the Adoption of Cybersecurity Standards for Business”, the goal of the new law is to provide an incentive for organizations to take steps to reduce exposure to hackers.
The new law raises questions. To address these questions this article describes the statute at a high level and suggests how Connecticut companies who comply with the law can reduce risk and limit exposure to punitive damages. It also describes the steps required to implement one of the law’s accepted frameworks. This article does not offer legal advice. Organizations should seek qualified legal counsel where needed.
Is My Organization at Risk?
The simple answer is yes regarding the probability of a cyber breach. Every organization, large or small, is susceptible to computer breaches. Many public and private organizations in Connecticut have already suffered from ransomware attacks and other cyber crimes. The identity of victims is not always made public but recently attacks in Connecticut against 9 public school systems, 4 hospitals and even a town police department have been reported.
If you are breached, what are the odds your company will be sued and you will be subjected to punitive damages? Currently the odds of being sued are not high but there is reason to believe there will be a growing number of punitive damage suits in the future. Companies in the health care or financial services industries that handle Personal Identifiable Information (PII) and other companies that process credit card transactions should be vigilant.
What Protection Does Connecticut Public Act No. 21-119 Provide?
The new law offers protection against punitive damages if a company conforms to an industry recognized cybersecurity framework. The specific legislation states-
“In any cause of action founded in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information, the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework.”
Can You Provide an Example of an Acceptable Cybersecurity Framework?
The legislation references 6 different cybersecurity frameworks it accepts. Any of these frameworks can be used to meet the statute’s requirements. To receive the law’s protection, organizations must keep current with framework releases and must not exhibit gross negligence or willful or wanton conduct.
The first approved framework listed is “The Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology. We will next describe the requirements of this framework to indicate the amount of effort needed to be compliant.
What Must Be Done to Conform to the NIST Framework?
The NIST Framework for Improving Critical Infrastructure Cybersecurity defines 5 Functions, 23 Categories, and 108 Sub-Categories. Through an on-going process of self-assessment organizations use the framework to gauge their level of cybersecurity preparedness. Users rate their cybersecurity maturity for each Sub-Category by assigning a Framework Implementation Tier ranging from 1 to 4. Then Framework Profiles for each sub-category are prepared to describe the Current Profile and Target Profile for each Sub-Category to establish goals for future improvement.
The following table provides examples of 5 different Sub-Categories (One from each Function).
| Function | Category | Sub-Category ID | Sub-Category Description |
|---|---|---|---|
| Identify | Governance | ID.GV-3 | Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations are understood and managed |
| Protect | Information Protection Processes and Procedures | PR.IP-4 | Backups of information are conducted, maintained, and tested |
| Detect | Anomalous Events | DE.AE-5 | Incident alert thresholds are identified |
| Respond | Mitigation | RS.MI-1 | Incidents are contained |
| Recover | Communication | RC.CO-3 | Recovery activities are communicated to internal and external stakeholders as well as executive and management teams |
Is There a Cost Associated?
There is no cost to access and use the NIST Framework for Improving Critical Infrastructure. Though there are consultants who can help your organization implement the framework, NIST does not require nor does it certify any consultants for this purpose.
What Should We Do Next?
We believe all Connecticut companies and non-profit organizations should consider their cyber security risk exposure. Connecticut Public Act No. 21-119 provides an impetus to assess your current vulnerabilities and to take steps to make your organization’s information assets more secure.
If you have not done so already, assign a member of your company’s management team to learn about the law and the available frameworks. Select an approved framework and use that tool to help drive your organization to continuous improvement. In addition to receiving the new law’s protections you will reduce the chances of a costly cyber breach.
If you have any questions, CAPS will be happy to share our advice at no charge. Though this law is new we have been helping Connecticut companies protect their valuable data resources for over 25 years.
