New Connecticut Law Provides Tort Protections For Cyber-Savvy Businesses (CT)
On July 6, 2021, Connecticut Governor Ned Lamont signed into law a bill designed to incentivize Connecticut businesses to implement stronger cybersecurity practices to combat the rise in cyber and ransomware attacks. In doing so, the state becomes only one of three states, the others being Ohio and Utah, to adopt an incentive-based approach for businesses to improve cybersecurity best practices. The new law, which will become effective on October 1, 2021, gives statutory protection from punitive damages claims brought under Connecticut law in Connecticut state court to those companies who enact reasonable cybersecurity controls. This includes the adoption of a formal written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information.” The program must also conform to certain cybersecurity standards set forth in the statute, including those established by the National Institute of Standards and Technology (NIST) and the Payment Card Industry (PCI) Security Standards Council, as well as any applicable regulations relevant to the business (e.g., HIPAA or FISMA). Connecticut businesses which do not have strong cybersecurity protocols in place should strongly consider complying with the new law to avoid potential punitive damages exposure from future cyber losses.
Thanks to Andrew Gibbs for his contribution to this post. Please email Georgia Coats with any questions.