At the close of Connecticut’s 2021 legislative session, a pair of data protection/cybersecurity related bills made their way to Governor Ned Lamont’s desk, while a CCPA-like omnibus privacy law falling one floor vote short. Oddly, the last-minute proposal (after other proposals in the House and Senate) were found in a 122-page budget bill and ended up being stripped away.
New Law Sets Bar for “Reasonable Security”
HB 6607 became law without the Governor’s signature, and will incentivize the adoption of cybersecurity standards for businesses. The new law will allow businesses that adopt certain cybersecurity practices to escape punitive damages in any cause of action that alleges that a failure to implement “reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information” if the action is brought under the laws of the State of Connecticut or in the courts of the State of Connecticut.
Specifically, effective October 1 “the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal or restricted information and that reasonably conforms to an industry-recognized cybersecurity framework." The law contains a list of “industry-recognized” frameworks that would qualify a business for the affirmative defense, including:
- NIST’s Framework for Improving Critical Infrastructure Cybersecurity
- NIST’s Special Publication 800-171
- NIST’s Special Publication 800-53 and 800-53a
- The FedRAMP Security Assessment Framework
- Center for Internet Security Critical Security Controls
- ISO.IEC 27000 series information security standards
- PCI-DSS Security Standards
Entities will need to pay close attention to revisions in whatever standards are adopted, because the law only applies if a covered entity conforms to revisions not later than 6 months after the publication date of the revision.
Entities regulated by HIPAA/HITECH or GLBA will be able to rely on this law if their cybersecurity programs conform to the current versions of the relevant security requirements, provided that the entities conform with revisions to applicable laws not later than 6 months after the publication date of such revision.
Connecticut sets the bar for what, in its legislative view, constitutes “reasonable security measures” by outlining these industry-recognized standards as the guidelines. An earlier version of HB 6607 provided an affirmative defense “safe harbor” for adoption of such security frameworks, but was revised in the final “as passed” version.
Update to Data Breach Notification Statute
Governor Lamont did sign HB 5310, which amends Connecticut’s data breach notification statute to bring it into line with many other states.
Effective October 1, entities with personal information of Connecticut residents should be adjusting incident response plans to ensure compliance with the new law. Things to watch out for:
- Expanded definition of “personal information” – Connecticut moves more towards other states with expanded definitions by including data points such as medical information or health insurance policy number or subscriber information; individual taxpayer ID number; passport number, military ID number, or other ID number issued by the government used to verify identity; biometric information; user name or email address, in combination with a password or security Q&A that would permit access to an online account. Note that HB 6607 includes this expanded definition of “personal information.”
- Notification Time and Content – Notification timeframe for both individuals and the AG’s Office is shortened from 90 days to “without unreasonable delay, but not later than 60 days.” Additionally, if it will take longer than 60 days to determine the identification of a resident of the state whose personal information was “breached or reasonably believed to have been breached,” preliminary substitute notice must be provided as outlined by the law.
- Breach of Login Credentials – Connecticut now has a unique requirement in the case of a breach of login credentials. Notice to an affected resident may be provided in electronic or other form that directs the resident to promptly change any password or security Q&A, or to take other appropriate steps to protect the affected online account, or any account with the same login credentials.
Important Note to HIPAA and HITECH Exception: As with the existing Connecticut law (and many other state data breach notification laws), any entity subject to (and in compliance with) HIPAA and/or HITECH privacy and security obligations is deemed in compliance with the new law – with two critical exceptions: (1) an entity subject to HIPAA/HITECH that is required to notify Connecticut residents under HIPAA/HITECH must still notify the AG at the same time residents are notified (this is similar to the NY SHIELD Act); and (2) if the entity would have been required to provide identity protection services under Connecticut law due to compromise of SSN (for 24 months..), that requirement remains in place.