Connecticut pushes cybersecurity with offers of punitive damage protection

Connecticut Gov. Ned Lamont signed a bill designed to encourage businesses in the state to beef up their cybersecurity.

“An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” will protect businesses from punitive damages resulting from a breach of personal data if they have adopted and adhere to industry-standard cybersecurity measures. 

The new law requires businesses to secure individuals’ names, Social Security numbers, taxpayer ID numbers, driver’s license numbers or other government identifiers; financial account numbers and passwords; medical or health insurance information; biometric information; and names or email address that are used in combination with a password or security to access online accounts.

To be exempt from damages, an organization must conform to the current version of any recognized security framework such as the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity; Special Publications 800-171, 800-53 and 800-53a; the Federal Risk and Authorization Management Program’s FedRAMP Security Assessment Framework; the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense; or the ISO/IEC 27000 series.

Organizations already regulated by the state or federal government must keep their compliance with the Health Insurance Portability and Accountability Act, the Federal Information Security Modernization Act and the Health Information Technology for Economic and Clinical Health Act in order to avoid paying punitive damages.

Businesses must also comply with the current version of the Payment Card Industry Data Security Standard.

When any of the relied-upon cybersecurity standards are updated, businesses have six months to comply.

The legislation is the latest of Connecticut’s efforts to better secure its assets. Earlier this year, Lamont announced the centralization of state IT resources and named Jeff Brown as the state’s first chief information security officer.

“Across the globe, cybersecurity risks continue to rise,” Brown said. “Connecticut is investing in cybersecurity and technology in new ways to protect our residents and businesses. We are bringing our statewide information technology team together into one, collaborative organization that will help us identify and deter cybersecurity incidents faster, bring everyone onto streamlined platforms, and ultimately protect more private information.”

The measure goes into effect on Oct. 1, 2021.

Leave a Reply

Your email address will not be published.