Written in collaboration with Nathaly Tamayo, JD.
Today, Connecticut’s Governor signed An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses, Public Act 21-119 (the Act). This is on the heels of the adoption of significant revisions to the state’s data breach statute. For the reasons described below, “incentivizing” may be too strong of a word here. The Act prohibits the assessment of punitive damages against an entity sued for negligent data protection practices related to a data breach involving personal information or information that can be used to identify an individual if the entity adopts and implements recognized cybersecurity standards.
This incentive is available to all businesses, including sole proprietorships and non-profits, that use information systems to access, maintain or communicate personal information or information that can be used to identify an individual. The definition of personal information in the Act mirrors the recently expanded definition in the revised state data breach statute in Public Act 21-59.
To be entitled to the protection against punitive damages, a business must prove that it created, maintained, and complied with a written cybersecurity program containing administrative, technical, and physical safeguards to protect personal or restricted information. Cybersecurity programs must meet two requirements: 1) the program must conform to an industry-recognized cybersecurity framework and 2) the program must meet specified design requirements.
A business can meet the cybersecurity framework requirement in one of three ways. First, it can adopt one of the six (6) acceptable industry-recognized cybersecurity frameworks identified in the Act.
- The “Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology;
- The National Institute of Standards and Technology’s special publication 800-171;
- The National Institute of Standards and Technology’s special publications 800-53 and 800-53a;
- The Federal Risk and Management Program’s “FedRAMP 86 Security Assessment Framework”;
- The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense”; or
- The “ISO/IEC 27000-series” information security standards 90 published by the International Organization for Standardization and the 91 International Electrotechnical Commission.
Second, businesses subject to and in compliance with one of the following federal laws or regulations will meet the cybersecurity framework requirement: 1) the security requirements of the Health Insurance Portability and Accountability Act (HIPAA), 2) the security requirements of the Health Information Technology for Economic and Clinical Health Act, 3) Title V of the Gramm-Leach-Bliley Act, and 4) the Federal Information Security Modernization Act.
Third, a business meets the requirement by complying with the current version of the “Payment Card Industry Data Security Standard” in combination with one of the six acceptable industry-recognized cybersecurity frameworks noted above.
If there are revisions to any of the above frameworks, laws, regulations and standards listed above, the business has six (6) months to implement those revisions to maintain protection from punitive damages.
In addition to complying with one of the above frameworks, laws, regulations or standards, the business’s cybersecurity program must also comply with specified design requirements. The program must be designed to 1) protect the security and confidentiality of such information, 2) protect against threats or hazards to the security or integrity of such information, and 3) protect against unauthorized access to and acquisition of the information that would result in identity theft or other fraud.
Finally, and importantly, the scope and scale of a cybersecurity program depends on the following factors:
- The size and complexity of the covered entity;
- the nature and scope of the activities of the covered entity;
- the sensitivity of the information to be protected; and
- the cost and availability of tools to improve information security and reduce vulnerabilities.
In other words, the complexity and extent of the cybersecurity program for a small neighborhood salon will differ from that of a multi-location financial institution.
Notably, the originally proposed bill offered an affirmative defense which would have created a safe harbor against data breach lawsuits for businesses that implement and maintain recognized cybersecurity standards. This would have been comparable to measures adopted in Ohio, and legislation pending in other states. Unfortunately, through the legislative process, the Act’s affirmative defense was replaced with a prohibition on punitive damages.
While the Legislature’s heart was in the right place, I think this Act falls short. Most of the identified acceptable standards and frameworks are designed for larger companies and require significant time and resources to implement. Given the limited benefit of the “incentive” (avoiding punitive damages), a smaller business is better off adopting a cybersecurity program customized for its operations, which likely does not strictly comply with one of the identified standards. Implementing a reasonable cybersecurity program likely will have the same effect of avoiding punitive damages without requiring a herculean effort to meet big-business standards.