Add Connecticut to List of States Offering Cybersecurity Safe Harbor
New Law Sets Bar for “Reasonable Security”
HB 6607 became law without the Governor’s signature, and will incentivize the adoption of cybersecurity standards for businesses. The new law will allow businesses that adopt certain cybersecurity practices to escape punitive damages in any cause of action that alleges that a failure to implement “reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information” if the action is brought under the laws of the State of Connecticut or in the courts of the State of Connecticut.
Specifically, effective October 1 “the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal or restricted information and that reasonably conforms to an industry-recognized cybersecurity framework." The law contains a list of “industry-recognized” frameworks that would qualify a business for the affirmative defense, including:
NIST’s Framework for Improving Critical Infrastructure Cybersecurity
NIST’s Special Publication 800-171
NIST’s Special Publication 800-53 and 800-53a
The FedRAMP Security Assessment Framework
Center for Internet Security Critical Security Controls
ISO.IEC 27000 series information security standards
Entities will need to pay close attention to revisions in whatever standards are adopted, because the law only applies if a covered entity conforms to revisions not later than 6 months after the publication date of the revision.
Entities regulated by HIPAA/HITECH or GLBA will be able to rely on this law if their cybersecurity programs conform to the current versions of the relevant security requirements, provided that the entities conform with revisions to applicable laws not later than 6 months after the publication date of such revision.
Connecticut sets the bar for what, in its legislative view, constitutes “reasonable security measures” by outlining these industry-recognized standards as the guidelines. An earlier version of HB 6607 provided an affirmative defense “safe harbor” for adoption of such security frameworks, but was revised in the final “as passed” version.