IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Connecticut Gov. Signs Bill Limiting Data Breach Liability

Businesses in the state could soon avoid punitive damages if their personal or restricted information becomes compromised. However, this protection only works if businesses meet certain cybersecurity standards.

Connecticut Gov. Ned Lamont last month signed legislation that would protect businesses in the state from punitive damages if any personal or restricted information is compromised.

But, there’s a slight catch.

To receive this protection, businesses have to meet certain cybersecurity standards laid out in the legislation.

According to Public Act 21-119, a few of these cybersecurity standards include having a “written cybersecurity program that contains administrative, technical and physical safeguards to protect personal or restricted information.”

This program would need to conform to either the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) or the Federal Risk and Management Program’s (FedRAMP) Security Assessment Framework.

Once the program is put in place, it would safeguard the security and confidentiality of businesses’ private information and protect against the unauthorized access of information that could potentially result in identity theft or fraud.

“Public Act, 21-119, is an important step forward to incentivize private companies to take cybersecurity more seriously by aligning with an industry-accepted cybersecurity framework,” said Jeff Brown, the state’s chief information security officer. “More than one framework is cited in the bill because cybersecurity is not a one-size-fits-all solution.”

“If a defendant business can demonstrate that they conformed to one of the recognized cybersecurity frameworks that is appropriate for their industry, they will have some legal protection in the event of a breach,” Brown said.

The state’s business community responded positively to the legislation, state CIO Mark Raymond said.

“The business community that we have in the state has been very appreciative of the effort to help provide more protections for businesses,” Raymond said. “They recognize they are struggling, so anything we can do to help them and create a safer environment has been appreciated.”

When asked why a concept like this hasn’t been proposed sooner, Raymond said “it would have been great if it was proposed five years ago.”

“Cybersecurity from my perspective is an ever-changing field. It has become more risky and complex, but two simple things continue to drive it,” he said.

The first is an increase in people doing more things online. The second, he said, is that as online services continue to grow, the threats and number of adversaries trying to steal information also grow.

Because of this, Raymond explained the next steps in enforcing the bill would most likely involve talking with the state’s business industry and monitoring their progress in adopting these new plans.

“I think the next steps involve working with the industry and helping them adjust to this new legislation, whether that’s answering questions or checking in with them to see how they are obtaining these frameworks,” Raymond said. “We need to work together and pay attention to the changing landscape of cybersecurity to make sure our state’s businesses are safe and protected.”

The legislation takes effect on Oct. 1, 2021.
Katya Maruri is a staff writer for Government Technology. She has a bachelor’s degree in journalism and a master’s degree in global strategic communications from Florida International University.