Skip to content
Law Protects CT Firms That Adopt Cybersecurity Controls
Steve MasciaAugust 19, 20213 min read

Law Protects CT Firms That Adopt Cybersecurity Controls

On July 6, 2021, Connecticut enacted Public Act 21-119 to create a safe harbor for cybersecurity savvy companies.

With this new law, Connecticut becomes the third state in the US (in addition to Ohio and Utah) to offer businesses legal protection if they adopt an industry-recognized cybersecurity framework.

Not-for-profit, as well as for-profit businesses, are impacted by Connecticut's law. It was signed on July 6, 2021, by Connecticut Governor Ned Lamont and goes into effect on October 1, 2021.

Prevent Lawsuits to Your Business with a Written Cybersecurity Program

Public Act No. 21-119 protects companies with a written cybersecurity policy that aligns with an industry-recognized cybersecurity framework.

With the passing of this law, if a lawsuit is brought against a company for failure to implement reasonable cybersecurity controls resulting in a data breach, punitive damages will not be awarded if the company created, maintained, and complies with a written cybersecurity program.

Qualified Cybersecurity Frameworks

Connecticut's cybersecurity law does not require a business to conform to a specific cybersecurity framework.

Instead, you can select whichever framework works best for your business. (Learn why Corserva aligns its cybersecurity practice with the NIST framework.)

Qualified cybersecurity frameworks include:

In addition to the above frameworks, companies are protected if they meet any of the following regulations:

As framework or regulation documents are updated, companies have six months from the time of publication to conform to the revised version of the document.

Information to Protect

Personally Identifiable Information (PII) that companies need to protect include:

  • Names
  • Social security numbers
  • Taxpayer identification numbers
  • ID numbers issued by the IRS
  • Driver's license numbers
  • State ID numbers
  • Passport numbers
  • Military identification numbers
  • Credit card and debit card numbers
  • Financial account information
  • Medical information
  • Health insurance policy numbers
  • Biometric information such as fingerprints, voice prints, and retinal scans
  • User names and access credentials
  • Email addresses

Expect Additional Cybersecurity Laws in the Future

With the increase of cybersecurity attacks impacting public and private companies across the nation, we can expect to see more of these types of laws encouraging businesses to adopt cybersecurity controls.

Recently, new regulations for NIST compliance and CMMC compliance have been implemented, impacting all Department of Defense suppliers.

Commercial enterprises need security awareness for the same reason federal defense contractors do — to avoid data losses and protect proprietary information (the "crown jewels" of the company).

Take a Security Control Lifecycle Approach to Cybersecurity

Instead of thinking of cybersecurity as a set of tools to be purchased, companies should take a lifecycle approach.

Good cyber hygiene involves the combination of technical controls and the correct processes for managing information.

Taking a security control lifecycle approach enables companies to invest in the right tools and processes to best defend against cyber threats.

When it comes to cybersecurity, there is no one-size-fits-all.

The lifecycle approach ensures that you don't waste money on tools you don't need or purchase additional software in a misguided effort to correct process issues.

  • Governance - Policies and Procedures
  • IT Operations - Design and Operations
  • Monitoring, Reporting, and Auditing
  • Ongoing Validation

Achieve Your Business Goals with Corserva

Corserva provides IT consulting and cybersecurity services across the US. By identifying gaps in security within your organization and performing remediation, we can help you optimize your IT infrastructure for best performance and prevent security incidents.

We also offer compliance and risk assessment services for companies that must adhere to specific regulations such as NIST 800-171, CMMC, GDPR, HIPAA, PCI DSS, and more.

Our certifications include CISSP, GSEC, CEH, and CompTIA Security+.



Steve Mascia

Having spent his career in technical sales, Steve has an extensive technology background delivering information technology and integrated solutions in various environments including corporate buildings, campuses, and data centers. His experience spans IT managed services, professional services, cloud services, hybrid networks, cybersecurity, data & VoIP systems, structured cabling systems, wireless, video, and security solutions. Steve strives to advance his clients' business success in every endeavor.