IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Connecticut Gov. Signs Bill Limiting Data Breach Liability

Businesses in the state could soon avoid punitive damages if their personal or restricted information becomes compromised. However, this protection only works if businesses meet certain cybersecurity standards.

3d,Rendering,Of,Hacked,Logo,On,Laptop,And,Lock,Icon
Shutterstock/Suttipun
Connecticut Gov. Ned Lamont last month signed legislation that would protect businesses in the state from punitive damages if any personal or restricted information is compromised.

But, there’s a slight catch.

To receive this protection, businesses have to meet certain cybersecurity standards laid out in the legislation.

According to Public Act 21-119, a few of these cybersecurity standards include having a “written cybersecurity program that contains administrative, technical and physical safeguards to protect personal or restricted information.”

This program would need to conform to either the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST) or the Federal Risk and Management Program’s (FedRAMP) Security Assessment Framework.

Once the program is put in place, it would safeguard the security and confidentiality of businesses’ private information and protect against the unauthorized access of information that could potentially result in identity theft or fraud.

“Public Act, 21-119, is an important step forward to incentivize private companies to take cybersecurity more seriously by aligning with an industry-accepted cybersecurity framework,” said Jeff Brown, the state’s chief information security officer. “More than one framework is cited in the bill because cybersecurity is not a one-size-fits-all solution.”

“If a defendant business can demonstrate that they conformed to one of the recognized cybersecurity frameworks that is appropriate for their industry, they will have some legal protection in the event of a breach,” Brown said.

The state’s business community responded positively to the legislation, state CIO Mark Raymond said.

“The business community that we have in the state has been very appreciative of the effort to help provide more protections for businesses,” Raymond said. “They recognize they are struggling, so anything we can do to help them and create a safer environment has been appreciated.”

When asked why a concept like this hasn’t been proposed sooner, Raymond said “it would have been great if it was proposed five years ago.”

“Cybersecurity from my perspective is an ever-changing field. It has become more risky and complex, but two simple things continue to drive it,” he said.

The first is an increase in people doing more things online. The second, he said, is that as online services continue to grow, the threats and number of adversaries trying to steal information also grow.

Because of this, Raymond explained the next steps in enforcing the bill would most likely involve talking with the state’s business industry and monitoring their progress in adopting these new plans.

“I think the next steps involve working with the industry and helping them adjust to this new legislation, whether that’s answering questions or checking in with them to see how they are obtaining these frameworks,” Raymond said. “We need to work together and pay attention to the changing landscape of cybersecurity to make sure our state’s businesses are safe and protected.”

The legislation takes effect on Oct. 1, 2021.
Katya Maruri is a staff writer for Government Technology. She has a bachelor’s degree in journalism and a master’s degree in global strategic communications from Florida International University, and more than five years of experience in the print and digital news industry.
Special Projects
Sponsored Articles
  • How the State of Washington teamed with Deloitte to move to a Red Hat footprint within 100 days.
  • The State of Michigan’s Department of Technology, Management, and Budget (DTMB) reduced its application delivery times to get digital services to citizens faster.

  • Sponsored
    Like many governments worldwide, the City and County of Denver, Colorado, had to act quickly to respond to the COVID-19 pandemic. To support more than 15,000 employees working from home, the government sought to adapt its new collaboration tool, Microsoft Teams. By automating provisioning and scaling tasks with Red Hat Ansible Automation Platform, an agentless, human-readable automation tool, Denver supported 514% growth in Teams use and quickly launched a virtual emergency operations center (EOC) for government leaders to respond to the pandemic.
  • Sponsored
    Microsoft Teams quickly became the business application of choice as state and local governments raced to equip remote teams and maintain business continuity during the COVID-19 lockdown. But in the rush to deploy Teams, many organizations overlook, ignore or fail to anticipate some of the administrative hurdles to successful adoption. As more organizations have matured their use of Teams, a set of lessons learned has emerged to help agencies ensure a successful Teams rollout – or correct course on existing implementations.