Through legislation, Connecticut has incentivized businesses to conform to one or more industry recognized cybersecurity frameworks. As we recently discussed, cybersecurity incidents and risks are taking centerstage. Under Connecticut’s recently enacted Public Act No. 21-119, An Act Incentivizing the Adoption of Cybersecurity Standards for Business (the Act), as further described below, a business that implements a qualifying cybersecurity program is shielded from punitive damages in connection with any data breach-related tort claim that is brought in, or under the laws of, Connecticut.
The Act, which will become effective October 1, 2021, protects a covered entity, which is broad in scope (i.e., “a business that accesses, maintains, communicates or processes personal information or restricted information in or through one or more systems, networks or services located in or outside this state”), from punitive damages in any cause of action founded in tort and brought under the laws of or within the state of Connecticut that alleges that such covered entity’s failure to implement reasonable cybersecurity controls resulted in a breach of personal or restricted information. For the covered entity to benefit from the Act, it must have created, maintained, and complied with a cybersecurity policy or program that is designed to protect the security and confidentiality of personal and restricted information, protect the security and integrity of such information from potential threats or hazards, and protect against the possibility of unauthorized access to the personal or restricted information. Additionally, to provide further guidance to covered entities seeking protection, the Act references several industry recognized frameworks (e.g., the NIST Cybersecurity Framework) that a covered entity could use to design its cybersecurity program.
The Act is flexible, recognizing that an entity’s cybersecurity program should fit the particular circumstances. Factors that would drive the appropriate scale and scope of a covered entity’s cybersecurity program include its size and complexity, the nature and scope of its activities, the sensitivity of the information being protected, and the cost and other practical aspects of available cybersecurity tools and safeguards. Therefore, smaller businesses with less sensitive activities may find the Act’s standards attainable.
Once a certain cybersecurity program is implemented, the covered entity is responsible for updating its program based on any applicable updates of the framework which its program is tailored from within six months of such update being published.
Although the Act provides certain protections for covered entities that follow its guidance, the Act does not protect a covered entity from punitive damages if the covered entity’s failure to use reasonable cybersecurity controls was due to the covered entity’s gross negligence or willful misconduct.
Overall, businesses that operate in Connecticut may find an additional benefit to being proactive with respect to their cybersecurity programs. If you have any specific questions with respect to your cybersecurity program, do not hesitate to connect with your Morgan Lewis team.