Connecticut has signed into law a new bill that bars state courts from penalizing businesses hit by a data breach if the organization has previously implemented certain cybersecurity controls.
The Connecticut measure, aptly named “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses,” aims to reward companies for creating and maintaining a written cybersecurity program with administrative, technical and physical safeguards to protect both personal information and the businesses’ confidential data.
This is the latest in a growing list of state- and national-level legislation that may impact how MSSPs safeguard customer data. At the national level, the big item to watch is President Biden's executive order on cybersecurity, which specifically mentions IT service providers more than a dozen times.
Cybersecurity Controls: Benefits of Compliance
In the case of Connecticut, organizations that embrace key cybersecurity controls won’t be hit with fines potentially levied by Connecticut’s Superior Court should hackers break into their network. The rationale behind the free pass is that organizations have done all that could be done to protect their customers and their own systems.
Connecticut Governor Ned Lamont signed HB 6607 on July 6, 2021 and it will become effective on October 1, 2021. The state is now one of three, including Ohio and Utah, to codify into law an incentive-based approach for businesses to implement cybersecurity best practices.
The Connecticut bill is an interim step to establishing a federal law mandating a minimum standard of information security, said Curtis Duke, the executive vice president and general manager of security best practices at the Center for Internet Security (CIS), an East Greenwich, New York-based non-profit that facilitates the development of best cybersecurity practices for businesses, government agencies, academic institutions and other organizations. The Center’s CIS Controls is a set of 18 prioritized safeguards to mitigate cyber attacks levied against systems and networks. "Connecticut's cybersecurity bill introduces a critical interim step: incentivizing the adoption of cyber best practices like the CIS Controls, to improve cybersecurity and protect citizen data," Duke said.
Connecticut Data Privacy Statute
The Cybersecurity standards bill comes on the heels of a data privacy statute the state’s legislature approved in June 2021 to update and fortify its existing breach notification laws. The Act Concerning Data Privacy Breaches broadens the definition of personal information contained in an earlier law dating to 2005 to include medical information, online account information, passport numbers, military identification and health insurance account numbers.
The bill, which carries overtones of California’s Consumer Privacy Act, also shortens the outside limit to which entities must notify individuals and the Office of the Attorney General of a security breach. Any person or entity collecting personal data by conducting business in the state must notify any resident of the state whose data may have been breached within 60 days of the incident.
In May 2018, Connecticut affirmed the Cybersecurity Action Plan calling for better security, deeper collaboration and more security pros on the job. The 41-page document contained requirements and recommendations to fortify cybersecurity planning and policy in the state. One month later, cyber crooks pilfered roughly $1.4 million from 21 account holders at the Connecticut Higher Education Trust. More than $442,000 was subsequently recovered or the transfers stopped.