Joining Utah and Ohio, on October 1, 2021, Connecticut will become the third state in the nation to enact a data breach litigation "safe harbor" statute. Public Act No. 21-119 provides a layer of protection to businesses against lawsuits brought against them seeking punitive damages for data breaches. The legislature also passed a companion bill, HB 5310, outlining enhanced requirements for cybersecurity and protection of personal information. With ransomware attacks on the rise, Connecticut is taking measures to protect the private information of its residents as well as providing businesses with a standard framework to assist them in shielding their assets from future attack.
Limitations on Punitive Damages in Data Breach Litigation
According to the new law, Connecticut courts cannot assess punitive damages against a business that "created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information." With ransomware attacks increasing against businesses of all sizes and types, even small business owners need to implement a cybersecurity program to protect the data of their company as well as their customers. This law recognizes that businesses which attempt to safeguard their employees and customers information may still be liable to others for a data breach. Now in Connecticut, so long as a business has a written cybersecurity program that meets the requirements of Connecticut law, they will be shielded from punitive damages brought by plaintiffs.
What is Required in Connecticut to Have a Cybersecurity Program Comply with the Law?
Cybersecurity programs in Connecticut must comply with certain standards to qualify for the new safe harbor provision. The statute points to several resources that provide guidelines for businesses as they design and implement cybersecurity programs. Generally, the cybersecurity program must protect and keep secure personal and confidential information against any threats or hazards presented by potential ransomware attacks or hacking by outside parties. Businesses should implement safeguards to thwart unauthorized access and acquisition of such information that could result in damage to their employees, customers and others.
The statute refers to model guidelines that businesses may use to create or improve their cybersecurity safeguards, including:
- Framework for Improving Critical Infrastructure Cybersecurity" published by the National Institute of Standards and Technology;
- The National Institute of Standards and Technology's special publication 800-171;
- The National Institute of Standards and Technology's special publication 800-53 and 800-53a;
- The Federal Risk and Management Program's "FedRAMP Security Assessment Framework";
- The Center for Internet Security's "Center for Internet Security Critical Security Controls for Effective Cyber Defense"; and
- The "ISO/IEC 27000-series" information security standards published by the International Organization for Standardization and International Electrotechnical Commission.
Who is a Covered Entity Under the New Law?
The Connecticut "safe harbor" law for data breaches explicitly defines which businesses and entities will be covered by its provisions. Covered entities are defined as businesses that "access, maintain, communicate, or process personal or restricted information through one or more systems, networks, or services located inside or outside the State of Connecticut." Basically, any business that stores, handles, or processes personal or restricted information is covered by this law.
A companion bill, which strengthened cybersecurity protections across the board, expanded the definition of personal information to include not only basic identifying information such as name, social security number, driver's license, etc., but also taxpayer identification, passport number, IRS identification numbers, medical history or treatment, health insurance policy information, biometric information obtained electronically, and user name or email address as well as passwords.
The safe harbor law also adds the term "restricted information" in addition to "personal information." Restricted information is defined in the statute as "any information about an individual, other than personal information or publicly available information…. that can be used to distinguish or trace the individual's identity…. if the information is not encrypted, redacted, or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to a person or property." Again, this translates to an expansion of the type of information protected by this new legislation. Businesses should take measures to secure restricted information by implementing encryption, or other technologies to protect the identities of those linked to the information.
New Notification Requirements
The new laws, which go into effect on October 1, 2021, also shorten the time period in which businesses have to notify affected parties and the Attorney General of any data breaches. The prior deadline was 90 days and with the new revisions, businesses now have to report "without unreasonable delay", but at the latest within 60 days of knowledge of the breach. Business must also now specifically notify its users who have had their user names or passwords breached and request that they create new passwords for their own protection as soon as possible.
Employer Takeaways
- Review your current cybersecurity plan to ensure it complies with the framework outlined in the statute, or if you don't yet have a cybersecurity plan use the framework to create a plan.
- Note the expanded definitions of personal and restricted information when reviewing and creating cybersecurity plans and determine whether the retention of such information is necessary.
- Be aware of the shortened notice requirements when responding to a data breach.
- Know that compliance with standards outlined in the law will protect against punitive damages brought as the result of a data breach.
The Cybersecurity & Data Privacy practice group at WSHB is comprised of a national team of skilled attorneys who resolve and respond to our clients’ cybersecurity and data privacy needs. We offer a 24/7 response service for data breach emergencies. WSHB provides assistance in all matters concerning cyber risk management, data breaches, cyber insurance coverage, and tactful defense and litigation strategy. We monitor recent cyber trends and implement proven and cost effective solutions for our clients’ needs. Do not hesitate to reach out to the author of this article or a member of our team, should you have questions or concerns on how to properly implement the requirements of this new legislation into your cybersecurity program.