Wood, Smith, Henning & Berman LLP
United States: Connecticut Improves Data Privacy Laws, Protects Businesses From Punitive Damage For Data Breaches
To print this article, simply register or connect to Mondaq.com.
Joining Utah and Ohio on Oct. 1, 2021, Connecticut will become the third state in the country to pass “safe harbor” law for data breach litigation. Public Law No. 21-119 provides a layer of protection for businesses against lawsuits brought against them for punitive damages for data breaches. The legislature also passed a complementary bill, HB 5310, outlining enhanced requirements for cybersecurity and protection of personal information. With the increase in ransomware attacks, Connecticut is taking steps to protect the private information of its residents and providing businesses with a standard framework to help them protect their assets from future attacks.
Limitations of punitive damages in data breach disputes
Under the new law, Connecticut courts cannot assess punitive damages against a company that “has created, maintained and adhered to a written cybersecurity program containing administrative, technical and physical safeguards for the protection of personal information.” With the increase in ransomware attacks against businesses of all sizes and types, even small business owners need to implement a cybersecurity program to protect their business data as well as that of their customers. This law recognizes that companies that try to protect the information of their employees and customers can still be held accountable to others in the event of a data breach. Now in Connecticut, as long as a company has a written cybersecurity program that meets the requirements of Connecticut law, it will be safe from punitive damages brought by plaintiffs.
What is required in Connecticut for a cybersecurity program to comply with the law?
Cyber security programs in Connecticut must meet certain standards to be eligible for the new Safe Harbor provision. The law lists several resources that provide guidelines for companies when designing and implementing cybersecurity programs. Generally, the cybersecurity program should protect and keep personal and confidential information secure from threats or dangers presented by potential ransomware attacks or hacking by third parties. Businesses should implement safeguards to thwart unauthorized access and acquisition of this information that could cause harm to their employees, customers, and others.
The law refers to model guidelines that companies can use to create or improve their cybersecurity safeguards, including:
- Framework for Improving Critical Infrastructure Cybersecurity “published by the National Institute of Standards and Technology;
- National Institute of Standards and Technology Special Publication 800-171;
- National Institute of Standards and Technology Special Publication 800-53 and 800-53a;
- the Federal Risk Management and Management Program “FedRAMP Security Assessment Framework”;
- The Center for Internet Security’s Critical Security Controls for Effective Cyber Defense; and
- Information security standards “ISO / IEC 27000-series” published by the International Organization for Standardization and the International Electrotechnical Commission.
Who is a covered entity under the new law?
Connecticut’s “safe harbor” law for data breaches explicitly defines which companies and entities will be covered by its provisions. Covered Entities are defined as businesses that “access, maintain, communicate or process personal or restricted information through one or more systems, networks or services located within or outside the State of Connecticut”. Basically, any business that stores, manages or processes personal or restricted information is covered by this law.
A companion bill, which strengthened cybersecurity protections at all levels, expanded the definition of personal information to include not only basic identifying information such as name, social security number, license, driver, etc., but also taxpayer ID, passport number, IRS ID numbers. , medical history or treatment, health insurance policy information, electronically obtained biometric information and username or email address and passwords.
The Safe Harbor Act also adds the term “restricted information” in addition to “personal information”. Restricted information is defined in law as “any information about an individual, other than personal information or publicly available information … which can be used to distinguish or trace the identity of the individual … any such method or technology. so that the information is illegible and the violation of which is likely to result in a significant risk of identity theft or other fraud for a person or property. Again, this translates into an expansion of the type of information protected by this new legislation. Businesses should take steps to secure restricted information by implementing encryption or other technologies to protect the identity of those linked to the information.
New notification requirements
The new laws, which will come into force on October 1, 2021, also shorten the time frame during which companies must notify affected parties and the attorney general of any data breach. The previous deadline was 90 days and with the new revisions, companies are now required to report “without unreasonable delay”, but no later than 60 days of knowledge of the violation. Businesses must also now specifically notify their users whose usernames or passwords have been breached and ask them to create new passwords for their own protection as soon as possible.
- Review your current cybersecurity plan to make sure it complies with the framework outlined in the law, or if you don’t have a cybersecurity plan yet, use the framework to create a plan.
- Note the broad definitions of personal and restricted information when reviewing and creating cybersecurity plans, and determine if retention of this information is necessary.
- Be aware of the abbreviated notification requirements when responding to a data breach.
- Be aware that adhering to the standards set out in the law will protect against punitive damages resulting from a data breach.
WSHB’s Cybersecurity and Data Privacy practice group is comprised of a nationwide team of qualified attorneys who solve and serve our clients’ cybersecurity and data privacy needs. We offer a 24/7 response service for data breach emergencies. WSHB provides assistance in all matters relating to cyber risk management, data breaches, cyber insurance coverage, and defense and litigation strategy with tact. We monitor recent cyber trends and implement proven and cost effective solutions for our clients’ needs. Please feel free to contact the author of this article, or a member of our team, if you have any questions or concerns on how to properly implement the requirements of this new legislation into your cybersecurity program.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR POSTS ON: US Privacy