February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

Connecticut Expands Protection of Personal Information, Incentivizes Adoption of Cybersecurity Standards for Businesses

As of October 1, 2021, Connecticut businesses will enjoy statutory protection from the assessment of punitive damages in cases that allege failure to protect personal and confidential information, provided reasonable cybersecurity controls are in place. Public Act 21-119, enacted by the Connecticut Legislature on July 6, 2021, seeks to incentivize greater adoption of cybersecurity standards by businesses in the state by providing guidance as to reasonable cybersecurity controls, and protecting businesses that implement those controls.

The new law, which applies only to tort claims brought under Connecticut law in Connecticut state court, serves to shield businesses that comply with certain requirements. Businesses that wish to take advantage of the protections afforded by the statute must implement a formal written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information.” The program also must conform to an industry-recognized cybersecurity framework enumerated in the statute, such as those promulgated by the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS) and the Payment Card Industry (PCI) Security Standards Council; where appropriate, cybersecurity regulations established by HIPAA, HITECH, FISMA or GLBA also apply.


Public Act 21-119 comes on the heels of Public Act 21-59, passed earlier this summer. Public Act 21-59 modified Connecticut’s existing data breach and cybersecurity law, expanding the definition of “personal information” subject to legal protection, shortening the deadline to provide notice of data breaches and protecting from public disclosure certain information provided in response to a Connecticut unfair trade practices investigation arising from a data breach.

Connecticut has brought its definitions up to speed with consumer expectations in expanding the definition of “personal information” to include data such as:

  • Medical, health insurance policy or subscriber information

  • Individual taxpayer ID numbers

  • Passport numbers or other ID numbers issued by the government used to verify identity

  • Biometric information and user names or email addresses, in combination with a password or security Q&A that would permit access to an online account.

Data Breach Notifications

Businesses also must be aware of the new statutory requirements if they suffer a data breach. The data breach notification deadline was shortened from 90 days to 60 days. Further, in the event a business is unable to confirm the identities and provide notice to all users impacted by a data breach, it must provide preliminary notice to all potentially impacted individuals within 60 days. The law also includes a unique requirement if a business believes the breach included login credentials: notice may be provided in electronic form provided it directs the resident to promptly change any password or security Q&A, or to take other appropriate steps to protect the affected online account.


Connecticut’s updated privacy and cybersecurity laws seek to strike a balance between protecting individuals and providing businesses with guidance in compliance and risk management, including a carrot to business in limiting potential liability for punitive damages if they comply with statutory requirements.

© 2023 Wilson ElserNational Law Review, Volume XI, Number 223

About this Author

Eric W.F. Niederer, Wilson Elser, Health Care Liability Lawyer, Compliance Issues Attorney,

Eric Niederer handles health care liability, product liability, catastrophic loss and high-exposure matters in state and federal court. He has represented a variety of health care providers in litigation, compliance issues and Department of Public Health investigations. Additionally, Eric has represented national and international manufacturers, distributors and retailers in product liability and commercial actions, including medical products and FDA and CPSC recalls. He has written articles and lectured on health care, product liability and Connecticut civil procedure....

Tyler W. Humphrey Attorney Financial Services Wilson Elser Hartford

Tyler Humphrey concentrates his practice in business and financial services matters. He has experience with various types of cases, including business formations and disputes, real estate transactions and limited white-collar criminal matters.

Formerly employed at a law firm in Boston, Massachusetts, Tyler gained experience in plaintiff-based personal injury litigation. He served as a judicial intern for the Honorable William Boyle, sitting first justice of Hamden County District Court.