Connecticut Expands Protection of Personal Information, Incentivizes Adoption of Cybersecurity Standards for Businesses
As of October 1, 2021, Connecticut businesses will enjoy statutory protection from the assessment of punitive damages in cases that allege failure to protect personal and confidential information, provided reasonable cybersecurity controls are in place. Public Act 21-119, enacted by the Connecticut Legislature on July 6, 2021, seeks to incentivize greater adoption of cybersecurity standards by businesses in the state by providing guidance as to reasonable cybersecurity controls, and protecting businesses that implement those controls.
The new law, which applies only to tort claims brought under Connecticut law in Connecticut state court, serves to shield businesses that comply with certain requirements. Businesses that wish to take advantage of the protections afforded by the statute must implement a formal written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information.” The program also must conform to an industry-recognized cybersecurity framework enumerated in the statute, such as those promulgated by the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS) and the Payment Card Industry (PCI) Security Standards Council; where appropriate, cybersecurity regulations established by HIPAA, HITECH, FISMA or GLBA also apply.
Public Act 21-119 comes on the heels of Public Act 21-59, passed earlier this summer. Public Act 21-59 modified Connecticut’s existing data breach and cybersecurity law, expanding the definition of “personal information” subject to legal protection, shortening the deadline to provide notice of data breaches and protecting from public disclosure certain information provided in response to a Connecticut unfair trade practices investigation arising from a data breach.
Connecticut has brought its definitions up to speed with consumer expectations in expanding the definition of “personal information” to include data such as:
Medical, health insurance policy or subscriber information
Individual taxpayer ID numbers
Passport numbers or other ID numbers issued by the government used to verify identity
Biometric information and user names or email addresses, in combination with a password or security Q&A that would permit access to an online account.
Data Breach Notifications
Businesses also must be aware of the new statutory requirements if they suffer a data breach. The data breach notification deadline was shortened from 90 days to 60 days. Further, in the event a business is unable to confirm the identities and provide notice to all users impacted by a data breach, it must provide preliminary notice to all potentially impacted individuals within 60 days. The law also includes a unique requirement if a business believes the breach included login credentials: notice may be provided in electronic form provided it directs the resident to promptly change any password or security Q&A, or to take other appropriate steps to protect the affected online account.
Connecticut’s updated privacy and cybersecurity laws seek to strike a balance between protecting individuals and providing businesses with guidance in compliance and risk management, including a carrot to business in limiting potential liability for punitive damages if they comply with statutory requirements.