Connecticut companies and organizations that were hacked in a hacker attack may be exempt from liability if the new Connecticut law provides for adequate cybersecurity protocols. This law was created to provide incentives for businesses and organizations to improve their digital defenses.
Although the Connecticut legislature failed to pass their privacy legislation like the ones passed in California, Colorado and Virginia, it was able adopt the ” Act Incentivizing The Adoption of Cybersecurity Standards for Businesses“. This bill was drafted and passed unanimously by the Commerce Committee. It will be in effect October 1, 2021.
This law is just one of many laws that can impact how MSSPs protect customer information at the state and national levels. Like many other data security laws, Connecticut’s Cybersecurity Standard Act requires organizations and businesses to implement reasonable cybersecurity programs.
Instead of simply defining reasonable controls by referring to requirements listed in other laws, Connecticut’s Cybersecurity Standard Act requirements are more general and reasonable controls are established through a safe harbour. The Cybersecurity Standards Act provides an affirmative defense to civil actions against covered entities in the event of a data breach involving personal or restricted information.
According to the bill, punitive damages can’t be assessed by courts when there is a data breach. This is because the cybersecurity program was implemented by the business or organization in order to protect the information exposed. When the action is filed under Connecticut law, or in Connecticut state court courts, the affirmative defense is available. If the defendant’s company or organization can prove that it has complied with one industry-recognized cybersecurity framework, the same applies to the case.
What Cybersecurity Standards are Referenced?
This law refers to the following cybersecurity standards:
National Institute of Standards and Technology
- Framework for Improving Critical Infrastructure Cybersecurity
- Special Publication (SP-800-171
- SP 800-53a and 800-53a
Federal Risk and Management Program
- Framework for FedRAMP Security Assessment
Center for Internet Security
- Center for Internet Security Critical Security Controls for Effective Cyber Defense
International Organization for Standardization & the International Electrotechnical Commission
- ISO/IEC 27000 Series
There will be mixed reactions to any new law. Some may be supportive of the policy while others may not agree with it. Anthony Buonaspina BSEE/BSCS, CPACC is the CEO and Founder at LITech Advisors.
I didn’t know Connecticut had such a proactive approach in encouraging businesses and organizations to strengthen their cybersecurity.
Connecticut has chosen to incentivize companies rather than penalize them. They can attract (and help protect) more businesses with honey than vinegar. Companies can avoid large fines simply by enhancing their security and following all state-mandated security guidelines.
This is a trend that I see quickly leading to a significant increase in companies calling MSSP’s to plug any holes and fill in the gaps in their IT security infrastructure. Clients have always told me that it is essential to increase security to a certain degree by building stronger walls and wider moats. Clients often put off the expense and hope for the best.
They now have additional reasons to take action to ensure security. Security can be seen as an investment, similar to cybersecurity insurance. You can save a lot of money by paying little now and avoid large expenses if a security breach happens.
As with the WCAG ADA accessibility compliance, you will see that an MSSP must “certify” that a company meets all state guidelines. Many MSPs will change their business structures to be more MSSP-oriented, as I believe. MSPs are rapidly becoming “race to bottom”, while MSSPs are quickly becoming “race to top”. This new approach to “incentivizing business” will be the norm in many states.
One user on a forum stated that he could see how it would end. The audit will not be completed by companies unless they do their best to ensure compliance. Companies should be held responsible if they take chances and make a profit.
Another user said, “I don’t think rewards are the right thing.” Security should be valued and not rewarded with a promise of a pony. Businesses that have poor security practices will fail. Secure/mature businesses can leverage security as an advantage and differentiator.
Cybersecurity is often seen as a cost center for many organizations and businesses. Many people don’t believe that data protection is an essential cost of doing business. Connecticut wants to offer incentives to businesses and organizations who do more to secure their data. Many business leaders and owners around the world have heard the horror stories about cyberattacks, ransomware demands and data breaches. It can be frightening just thinking about it. Leaders and business owners will continue to believe that they might be the next.
This may be a great opportunity for you to feel secure with the Connecticut government’s enhanced rules and protection.
This new law will encourage good behavior and not punish and penalize victims as has been the norm for many years. Is this a first step in a new trend that Connecticut is trying to create? Do other states follow Connecticut’s lead?