The Connecticut law, An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses, creates a “safe harbor” from punitive damages for businesses in tort cases where a data breach stemmed from an alleged failure to implement reasonable cybersecurity controls. To benefit from the law, the business must have adopted one of six named industry frameworks (plus a seventh where payment card information is involved) or conform with the requirements of one of three federal legal frameworks. This protection does not apply where “such failure to implement reasonable controls was the result of gross negligence or wilful or wanton conduct.”
This “incentivizing” Act is similar to the Ohio Data Protection Act (effective November 2018) and the Utah Cybersecurity Affirmative Defenses Act (effective May 2021), which offer protections for businesses with specified cybersecurity programs. Although the cybersecurity frameworks identified in Connecticut, Ohio, and Utah are nearly identical, the relief available varies: In Connecticut, businesses with qualifying cybersecurity programs can avoid only punitive damages; in Ohio and Utah, businesses with such programs can avail themselves of broad affirmative defenses to causes of action including failure to implement reasonable cybersecurity controls, failure to appropriately respond to a data breach, and failure to appropriately notify individuals of compromised personal information. The new Connecticut and Utah laws also follow in the footsteps of a recent federal amendment impacting enforcement under the Health Insurance Portability and Accountability Act (HIPAA), which states that the relevant federal regulator (the U.S. Secretary of Health and Human Services) must consider compliance with certain cybersecurity standards as a mitigating factor when calculating potential penalties for HIPAA violations.
To benefit from Connecticut’s new law, businesses must conform to the current version of one or more of the following frameworks:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework;
- NIST Special Publication 800-171, which governs controlled unclassified information;
- NIST Special Publications 800-53 and 800-53a;
- FedRAMP Security Assessment Framework, which applies generally to cloud-based services;
- Center for Internet Security Controls; or
- ISO 27000-series information security standards.
The law also extends to businesses that handle payment cardholder data if they comply with the current version of the Payment Card Industry Data Security Standard (PCI-DSS) and the current version of one of the above frameworks. In addition, entities regulated by the following frameworks are eligible to benefit from the law where their programs conform to the relevant cybersecurity requirements:
- HIPAA Security Rule (as applicable either to HIPAA covered entities or business associates);
- Title V of the Gramm-Leach-Bliley Act (GLBA); and
- The Federal Information Security Modernization Act (FISMA).
Businesses have only six months to conform their program to any amendments to the chosen framework(s) in order to remain eligible for protection from punitive damages. Finally, the mere existence of a cybersecurity policy that aligns with one of the enumerated frameworks is insufficient. Businesses must have “created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information” (as defined by the law). And, the cybersecurity program must be designed as described in subsection (d) of the Act, including to “protect against any threats or hazards” and taking into consideration the “scale and scope of a covered entity’s cybersecurity program” based on factors such as the business’s size, the sensitivity of the information, and the “cost and availability of tools to improve information security and reduce vulnerabilities.”
* * *
With the growing trend of state laws that incentivize the use of “recognized” cybersecurity frameworks, it is increasingly important for businesses to consider whether their frameworks map onto those guidelines if they wish to reap the available protections. It remains to be seen how burdensome it may become for defendants to demonstrate that their cybersecurity programs complied with one of the enumerated frameworks, including what evidence will be required to obtain the protection of the bar on punitive damages. Businesses also may need to consider how to best convey that the “scale and scope” of their programs were appropriately tailored based on the cost and availability of tools to improve information security, to take advantage of this affirmative defense against punitive damages. Entities are well advised to consider whether their security risk assessment processes provide an avenue to create contemporaneous evidence that their programs were reasonable and appropriate based on present circumstances within an evolving cyber threat landscape.
Authored by Michelle Kisloff, Paul Otto, Alicia Paller, and Jacob Wall.