Connecticut Eyes Encryption Mandate for Vendors

State senate leaders are pushing for legislation that requires companies to encrypt data if they want to do business with Connecticut agencies.

by / February 23, 2015

If private companies want to do business with state agencies in Connecticut, they better make sure their customer data is secured.

Connecticut lawmakers may soon require vendors to encrypt all personal data that is stored and transmitted as a condition of entering into a contract with the state. Businesses would also have to enable stronger password protections and control how much personal identifying information can be downloaded at one time, to help mitigate damage in the event any data is stolen.

The push for a codified encryption mandate comes on the heels of the Anthem breach from earlier this month. That incident exposed the personal information of nearly one-third of Connecticut residents, according to the Connecticut Post.

In an interview with Government Technology, Connecticut Senate Majority Leader Bob Duff, D-Norwalk, categorized the hack as an opportunity to improve the state’s cybersecurity standing.

“We’ve learned a hard lesson, but it provides us with the momentum to accomplish change – change to put in real protections for Connecticut residents,” he said. “This is also an opportunity for the state to provide assistance to small businesses to encrypt their sensitive data and make our state a more attractive place for them to locate.”

The burden of encryption could be difficult on small companies, however. Duff admitted that experts have told him and other state leaders that in order to comply, there could be up to a 20 percent hike in computer and software costs.

If the security standards change, Connecticut would join a handful of states – including Maryland and New Jersey – that require customer data encryption. When asked if it might be better for the federal government to issue uniform data security requirements to avoid companies having to comply with different standards, Duff was skeptical that Uncle Sam could address the problem adequately.

“Unfortunately, as we all know too well, Washington has become dysfunctional,” Duff said. “Washington is unable to function in a quick manner – something that is necessary with the fast moving field of technology. The responsibility has fallen to the states.”

Connecticut’s proposed cybersecurity changes haven’t been finalized yet. Two bills circulating in the Connecticut Senate have placeholder language that will be altered and fine-tuned to fit the proposal. One will come out of the Insurance and Real Estate Committee; the other is SB 589, which is currently located in the General Law Committee.

Duff explained that the most important thing is to come up with a comprehensive definition of “encryption” that can hold up to new technology advancements. In addition, Duff said legislators are working on bill language with the health insurance industry, cybersecurity experts and attorneys who worked on Massachusetts’ encryption requirements; the goal is to create a workable proposal that is cost-effective and offers the highest level of protection.

The challenge, he added, was making sure all the concerns of interested parties are met – without diluting the protections the public needs.

“We are in a world where other countries are using government agencies to break into our companies and steal sensitive information,” Duff said. “In the long run, I think that companies will find it cheaper to implement these protocols than to have to clean up the mess of a data breach.”

Brian Heaton

Brian Heaton was a writer for Government Technology magazine from 2011 to mid-2015.