On July 6, 2021, Connecticut enacted Public Act 21-119 to create a safe harbor for cybersecurity savvy companies.
With this new law, Connecticut becomes the third state in the US (in addition to Ohio and Utah) to offer businesses legal protection if they adopt an industry-recognized cybersecurity framework.
Not-for-profit, as well as for-profit businesses, are impacted by Connecticut's law. It was signed on July 6, 2021, by Connecticut Governor Ned Lamont and goes into effect on October 1, 2021.
Public Act No. 21-119 protects companies with a written cybersecurity policy that aligns with an industry-recognized cybersecurity framework.
With the passing of this law, if a lawsuit is brought against a company for failure to implement reasonable cybersecurity controls resulting in a data breach, punitive damages will not be awarded if the company created, maintained, and complies with a written cybersecurity program.
Connecticut's cybersecurity law does not require a business to conform to a specific cybersecurity framework.
Instead, you can select whichever framework works best for your business. (Learn why Corserva aligns its cybersecurity practice with the NIST framework.)
Qualified cybersecurity frameworks include:
In addition to the above frameworks, companies are protected if they meet any of the following regulations:
As framework or regulation documents are updated, companies have six months from the time of publication to conform to the revised version of the document.
Personally Identifiable Information (PII) that companies need to protect include:
With the increase of cybersecurity attacks impacting public and private companies across the nation, we can expect to see more of these types of laws encouraging businesses to adopt cybersecurity controls.
Recently, new regulations for NIST compliance and CMMC compliance have been implemented, impacting all Department of Defense suppliers.
Commercial enterprises need security awareness for the same reason federal defense contractors do — to avoid data losses and protect proprietary information (the "crown jewels" of the company).
Instead of thinking of cybersecurity as a set of tools to be purchased, companies should take a lifecycle approach.
Good cyber hygiene involves the combination of technical controls and the correct processes for managing information.
Taking a security control lifecycle approach enables companies to invest in the right tools and processes to best defend against cyber threats.
When it comes to cybersecurity, there is no one-size-fits-all.
The lifecycle approach ensures that you don't waste money on tools you don't need or purchase additional software in a misguided effort to correct process issues.
Corserva provides IT consulting and cybersecurity services across the US. By identifying gaps in security within your organization and performing remediation, we can help you optimize your IT infrastructure for best performance and prevent security incidents.
We also offer compliance and risk assessment services for companies that must adhere to specific regulations such as NIST 800-171, CMMC, GDPR, HIPAA, PCI DSS, and more.
Our certifications include CISSP, GSEC, CEH, and CompTIA Security+.