Law Protects CT Firms That Adopt Cybersecurity Controls

Corserva blog

On July 6, 2021, Connecticut enacted Public Act 21-119 to create a safe harbor for cybersecurity savvy companies.

With this new law, Connecticut becomes the third state in the US (in addition to Ohio and Utah) to offer businesses legal protection if they adopt an industry recognized cybersecurity framework.

Not-for-profit as well as for-profit businesses are impacted by Connecticut's law. It was signed on July 6, 2021 by Connecticut Governor Ned Lamont and goes into effect on October 1, 2021.


Prevent Lawsuits to Your Business with a Written Cybersecurity Program

Public Act No. 21-119 provides protection for companies that have a written cybersecurity policy in place that aligns with an industry recognized cybersecurity framework.

With the passing of this law, if a lawsuit is brought against a company for failure to implement reasonable cybersecurity controls resulting in a data breach, punitive damages will not be awarded if the company created, maintained, and complied with a written cybersecurity program.


Qualified Cybersecurity Frameworks

Connecticut's cybersecurity law does not require a business to conform to a specific cybersecurity framework.

Instead, you can select whichever framework works best for your business. (Learn why Corserva aligns its cybersecurity practice with the NIST framework.)


Qualified cybersecurity frameworks include:


In addition to the above frameworks, companies are protected if they meet any of the following regulations:


As framework or regulation documents are updated, companies have six months from the time of publication to conform to the revised version of the document.


Information to Protect

Personally Identifiable Information (PII) that companies need to protect include:

  • Names
  • Social security numbers
  • Taxpayer identification numbers
  • ID numbers issued by the IRS
  • Driver's license numbers
  • State ID numbers
  • Passport numbers
  • Military identification numbers
  • Credit card and debit card numbers
  • Financial account information
  • Medical information
  • Health insurance policy numbers
  • Biometric information such as fingerprints, voice prints, and retinal scans
  • User names and access credentials
  • Email addresses


Expect Additional Cybersecurity Laws in the Future

With the increase of cybersecurity attacks impacting public and private companies across the nation, we can expect to see more of these types of laws encouraging businesses to adopt cybersecurity controls.

Recently, new regulations for NIST compliance and CMMC compliance have been put in place impacting all Department of Defense suppliers.

Commercial enterprises need security awareness for the same reason federal defense contractors do — to avoid data losses and protect proprietary information (the "crown jewels" of the company).




Take a Security Control Lifecycle Approach to Cybersecurity

Instead of thinking of cybersecurity as a set of tools to be purchased, companies should take a lifecycle approach.

Good cyber hygiene involves the combination of technical controls and the correct processes for managing information.

Taking a security control lifecycle approach enables companies to invest in the right tools and processes to best defend against cyber threats.

When it comes to cybersecurity, there is no one-size-fits-all.

The lifecycle approach ensures that you don't waste money on tools you don't need or purchase additional software in a misguided effort to correct process issues.


Security control lifecycle


Achieve Your Business Goals with Corserva

Corserva provides IT consulting and cybersecurity services across the US. By identifying gaps in security within your organization and performing remediation, we can help you optimize your IT infrastructure for best performance and prevent security incidents.

We also offer compliance and risk assessment services for companies that need to adhere to specific regulations such as NIST 800-171, CMMC, GDPR, HIPAA, PCI DSS, and more.

Our certifications include CISSP, GSEC, CEH, and CompTIA Security+.

Contact us today to request a quote.



Post Date: August 19, 2021 // 11:15 AM

Topic category:

NIST & CMMC, Cybersecurity


Steve Mascia

Having spent his career in technical sales, Steve has an extensive technology background delivering information technology and integrated solutions in various environments including corporate buildings, campuses, and data centers. His experience spans IT managed services, professional services, cloud services, hybrid networks, cybersecurity, data & VoIP systems, structured cabling systems, wireless, video, and security solutions. Steve strives to advance his clients' business success in every endeavor.