Connecticut Gov. Ned Lamont on Tuesday signed legislation making the state the third to offer businesses a safe harbor on data security if they implement one of several sets of cybersecurity controls.
The Cybersecurity Standards Act stipulates that companies operating in Connecticut won’t receive “punitive damages” from state courts if they suffer a breach exposing residents’ personally identifiable information — including names, addresses, Social Security numbers, medical records and financial information — if they have a written cybersecurity policy that follows a recognized cybersecurity framework.
The act lists several familiar standards followed by the public and private sectors, including the National Institute of Standards and Technology framework, the Center for Internet Security’s set of 18 controls, the Federal Risk and Authorization Management Program, also known as FedRAMP, and the Payment Card Industry Data Security Standards.
The new law applies to any company that “accesses, maintains, communicates or processes personal information or restricted information in or through one or more systems, networks or services located in or outside this state.” But businesses that follow one of the approved frameworks will have an “affirmative defense” against claims that a breach was the result of a “failure to implement reasonable cybersecurity controls.”
The law also expands Connecticut’s definition of what counts as protected information to include biometric data — such as fingerprints, retinal scans and voice recordings — and credentials issued by the IRS.
With Lamont’s signing the law, Connecticut joined Ohio and Utah in offering businesses legal protections in exchange for adopting an established cybersecurity framework. But Connecticut’s new law doesn’t negate the state’s ability to exact damages in the event of a breach. Companies are not covered by the safe harbor if a data exposure is the result of “failure to implement reasonable cybersecurity controls was the result of gross negligence or willful or wanton conduct,” it states.
The new law goes into effect Oct. 1.