On July 6, 2021, Connecticut enacted Public Act 21-119 to create a safe harbor for cybersecurity savvy companies.
With this new law, Connecticut becomes the third state in the US (in addition to Ohio and Utah) to offer businesses legal protection if they adopt an industry-recognized cybersecurity framework.
Not-for-profit, as well as for-profit businesses, are impacted by Connecticut's law. It was signed on July 6, 2021, by Connecticut Governor Ned Lamont and goes into effect on October 1, 2021.
Prevent Lawsuits to Your Business with a Written Cybersecurity Program
Public Act No. 21-119 protects companies with a written cybersecurity policy that aligns with an industry-recognized cybersecurity framework.
With the passing of this law, if a lawsuit is brought against a company for failure to implement reasonable cybersecurity controls resulting in a data breach, punitive damages will not be awarded if the company created, maintained, and complies with a written cybersecurity program.
Qualified Cybersecurity Frameworks
Connecticut's cybersecurity law does not require a business to conform to a specific cybersecurity framework.
Instead, you can select whichever framework works best for your business. (Learn why Corserva aligns its cybersecurity practice with the NIST framework.)
Qualified cybersecurity frameworks include:
- NIST's Framework for Improving Critical Infrastructure Cybersecurity
- NIST Special Publication 800-171
- NIST Special Publications 800-53 and 800-53a
- FedRAMP Security Assessment Framework
- Center for Internet Security CIS Controls
- ISO/IEC 27000-series for information security
In addition to the above frameworks, companies are protected if they meet any of the following regulations:
- HIPAA Security Rule
- Gramm-Leach-Bliley Act
- Federal Information Security Modernization Act
- Health Information Technology for Economic and Clinical Health Act
- Payment Card Industry Data Security Standard
As framework or regulation documents are updated, companies have six months from the time of publication to conform to the revised version of the document.
Information to Protect
Personally Identifiable Information (PII) that companies need to protect include:
- Social security numbers
- Taxpayer identification numbers
- ID numbers issued by the IRS
- Driver's license numbers
- State ID numbers
- Passport numbers
- Military identification numbers
- Credit card and debit card numbers
- Financial account information
- Medical information
- Health insurance policy numbers
- Biometric information such as fingerprints, voice prints, and retinal scans
- User names and access credentials
- Email addresses
Expect Additional Cybersecurity Laws in the Future
With the increase of cybersecurity attacks impacting public and private companies across the nation, we can expect to see more of these types of laws encouraging businesses to adopt cybersecurity controls.
Recently, new regulations for NIST compliance and CMMC compliance have been implemented, impacting all Department of Defense suppliers.
Commercial enterprises need security awareness for the same reason federal defense contractors do — to avoid data losses and protect proprietary information (the "crown jewels" of the company).
Take a Security Control Lifecycle Approach to Cybersecurity
Instead of thinking of cybersecurity as a set of tools to be purchased, companies should take a lifecycle approach.
Good cyber hygiene involves the combination of technical controls and the correct processes for managing information.
Taking a security control lifecycle approach enables companies to invest in the right tools and processes to best defend against cyber threats.
When it comes to cybersecurity, there is no one-size-fits-all.
The lifecycle approach ensures that you don't waste money on tools you don't need or purchase additional software in a misguided effort to correct process issues.
- Governance - Policies and Procedures
- IT Operations - Design and Operations
- Monitoring, Reporting, and Auditing
- Ongoing Validation
Achieve Your Business Goals with Corserva
Corserva provides IT consulting and cybersecurity services across the US. By identifying gaps in security within your organization and performing remediation, we can help you optimize your IT infrastructure for best performance and prevent security incidents.
We also offer compliance and risk assessment services for companies that must adhere to specific regulations such as NIST 800-171, CMMC, GDPR, HIPAA, PCI DSS, and more.
Our certifications include CISSP, GSEC, CEH, and CompTIA Security+.