In particular, HB 6607 establishes a defense in any cause of action founded in tort brought under the laws of Connecticut that allege a failure to implement reasonable cybersecurity controls resulting in a data breach concerning personal information or restricted information. Notably, Connecticut has been active in updating its data breach legislation and recently signed HB 5130 for an Act Concerning Data Privacy Breaches (codified as Public Act 21-119) which amends Connecticut's data breach notification law by:

• broadening the definition of personal information to include additional categories of sensitive information;
• shortening the time period to notify consumers and the Attorney General ('AG') of a security breach from 90 to 60 days; and
• providing confidentiality for material obtained by the AG through Civil Investigative Demands.

Scope

Sherwin M. Yoder, Partner at Carmody Torrance Sandak & Hennessey LLP, highlights the key differences in HB 6607 and HB 5130 noting, "If [HB 5130] is a 'stick', spurring Connecticut businesses to increase data privacy and cybersecurity safeguards, then HB 6607 may be a 'carrot'. This second piece of legislation […] incentivises entities who store personal information to take proactive steps to implement a qualified written cybersecurity program."

More specifically, HB 6607 prevents the Superior Court from assessing punitive damages against a covered entity if it created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal or restricted information and that it conforms to an industry recognised cybersecurity framework. Furthermore, HB 6607 stipulates an exemption for the defence where a failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct. Moreover, the industry recognised frameworks set out in HB 6607 include:

• National Institute of Standards and Technology's ('NIST') Framework for Improving Critical Infrastructure Cybersecurity;
• NIST's Special Publication 800-171;
• NIST's Special Publication 800-53 and 800-53a;
• Federal Risk and Management Program's FedRAMP Security Assessment Framework;
• Center for Internet Security Critical Security Controls;
• International Organization for Standardization and the International Electrotechnical Commission 27000 series information security standards;
• Payment Card Industry Data Security Standard Security Standards; and
• Federal Information Security Modernization Act.

Moving forward

Yoder recommends organisations consider the following actions:

• "Take stock of data practices and privacy and information security policies: Do you know where and how you are handling each of the new categories of 'personal Information'? Do your public-facing notices signal to costumers that you recognise your expanding obligations regarding their data? Do you have written policies that empower employees to classify and protect personal data and that enable IT to maintain industry-standard technical and physical safeguards?
• Update the incident response plan: Does the plan account for the shortened breach notification deadline? Does it address coordination of compliance obligations where the Health Insurance Portability and Accountability Act of 1996 Breach Notification Rule may apply?
• Review third party contracts: Do your service provider contracts need to be updated to address definitions pertaining to personal data and the parties' responsibilities regarding incident response and breach notification?
• Review insurance coverage: Do you have cybersecurity insurance? Does it need to be updated to cover incident response costs resulting from a data breach involving the new categories of 'personal Information'."

Finally, organisations have a short turnaround period with both bills entering into effect on 1 October 2021.

Edidiong Udoh Privacy Analyst
[email protected]

Comments provided by:
Sherwin M. Yoder Partner
[email protected]
Carmody Torrance Sandak & Hennessey LLP