New CT Cybersecurity Law Protects Against Liability for Data Breaches

Connecticut Governor Ned Lamont recently signed into law “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (Public Act No. 21-119). Under the Act, “covered entities” that implement certain cybersecurity measures to protect against data breaches of “personal information” and “restricted information” will be insulated against the imposition of punitive damages arising from tort claims alleging that the “covered entity” failed to implement reasonable cybersecurity measures.

The Act defines “covered entity” as any “business that accesses, maintains, communicates or processes personal information or restricted information in or through one or more systems, networks or services located in or outside” Connecticut. “Personal information” includes an individual’s name coupled with a social security number, credit or debit card number, financial account number along with that account’s password or security code, medical information, health insurance policy information, or certain other types of data. “Personal information” also includes an individual’s user name or email address, plus the password or security answer that grants access to that online account. “Restricted information” means any information about an individual that can be used to distinguish or trace the individual’s identity or that is reasonably linked or linkable to an individual.

To comply with the Act and receive its protection, businesses must implement an “industry recognized” cybersecurity program, such as those promulgated by the National Institute of Standards and Technology or the Payment Card Industry Data Security Standard, among others. The Act will protect businesses regulated by HIPAA, the HITECH Act, or certain other laws, so long as the business is compliant with the applicable law.

If a business does not maintain one of the above cybersecurity programs, it can still be protected by the Act if its cybersecurity program protects the security and confidentiality of personal and restricted information; protects against any threats or hazards to the security of personal and restricted information; and protects against unauthorized access to personal and restricted information. In determining whether a business’s cybersecurity accomplished these goals, four factors must be considered: the size and complexity of the covered entity; the nature and scope of its activities; the sensitivity of the information to be protected; and the cost and availability of tools to improve information security and reduce vulnerabilities.

The Act will become effective on October 1, 2021.