As data breaches become a fact of life for both businesses and consumers, barely a news cycle goes by without a story of another successful hack, ransomware, theft of personal data or other data breach. These data breaches are occurring in an environment in which cyber criminals continue to evolve their methods and increase the sophistication of their attacks, resulting in more and more business leaders coming to the unsettling realization that their organization will never be 100% secure or “breach proof” – no matter how much time and money they spend on cybersecurity and employee training.
Data breaches harm consumers and cost businesses valuable time and money, in terms of response costs, damage to information systems, and reputational costs. While still a generally nascent threat, another cost is the risk of lawsuits from employees, consumers, customers or other parties affected by the data breach. These lawsuits may arise in the context of a breach of contract claim (e.g., failure to encrypt data as required by a services agreement) or through a “tort,” such as a negligence claim (e.g., but for the business’s failure to reasonably protect the consumer’s personal data, this breach would not have occurred and the consumer would not have incurred certain damages).
About P.A. 21-119
Recognizing that no business is ever truly “breach proof,” on July 6, 2021, the Connecticut legislature signed Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” into law (“P.A. 21-119”). P.A. 21-119 creates a safe harbor against punitive damages for “covered entities” that have suffered a “data breach” involving “personal information” or “restricted information,” if such covered entity has “created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework.” A business does not qualify for this safe harbor if its failure to implement such cybersecurity controls arises from gross negligence or willful or wanton conduct.
What this means is a business will not be punished if it is sued for negligent data protection practices related to a data breach, so long as the business can demonstrate that it has a written cybersecurity program that (A) conforms to an industry recognized cybersecurity framework and (B) contains administrative, technical and physical safeguards for the protection of personal or restricted information. However, because P.A. 21-119 is limited to punitive damages (i.e., damages that are awarded to punish the defendant), a business may still be required to compensate plaintiffs who were harmed as a result of the data breach (e.g., arising from identity theft).
What Types of Businesses Are Covered by P.A. 21-119?
P.A. 21-119 defines “covered entity” very broadly and affords this protection to most businesses in the state. Specifically, “covered entity” is defined as “a business that accesses, maintains, communicates or processes personal information or restricted information in or through one or more systems, networks or services located in or outside this state.” Moreover, P.A. 21-119 defines “business” as follows: “any individual or sole proprietorship, partnership, firm, corporation, trust, limited liability company, limited liability partnership, joint stock company, joint venture, association or other legal entity through which business for profit or not-for-profit is conducted.”
As explained above, in order to qualify for the safe harbor in P.A. 21-119, a covered entity must demonstrate that it has a written cybersecurity program that (A) conforms to an industry recognized cybersecurity framework and (B) contains administrative, technical and physical safeguards for the protection of personal or restricted information.
A. What Industry Recognized Cybersecurity Frameworks Qualify?
Under P.A. 21-119, a covered entity’s cybersecurity program qualifies for the aforementioned safe harbor if it conforms to the current version, or any combination of the current versions of, the following industry recognized cybersecurity frameworks:
- “The ‘Framework for Improving Critical Infrastructure Cybersecurity’ published by the National Institute of Standards and Technology”;
- “The National Institute of Standards and Technology’s special publication 800-171”;
- “The National Institute of Standards and Technology’s special publications 800-53 and 800-53a”;
- “The Federal Risk and Management Program’s ‘FedRAMP Security Assessment Framework’;
- “The Center for Internet Security’s ‘Center for Internet Security Critical Security Controls for Effective Cyber Defense’”; or
- “The ‘ISO/IEC 27000-series’ information security standards published by the International Organization for Standardization and the International Electrotechnical Commission.”
If a covered entity’s cybersecurity program complies with the current version of the “Payment Card Industry Data Security Standard” (“PCI-DSS”) and the current version of one of the cybersecurity standards set forth above, then it is also subject to the safe harbor in P.A. 21-119.
In addition, a business is also eligible for the aforementioned safe harbor in the event that its cybersecurity program conforms to the current version of one of the following:
- The security requirements of the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191 (“HIPAA”);
- Title V of the Gramm-Leach-Bliley Act of 1999, P.L. 106-102;
- The Federal Information Security Modernization Act of 2014, P.L. 113-283; or
- The security requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
B. Required Safeguards for Cybersecurity Program
Finally, P.A. 21-119 requires that a covered entity’s cybersecurity program contain administrative, technical and physical safeguards for the protection of personal or restricted information. Specifically, a covered entity’s cybersecurity program must: (i) “[p]rotect the security and confidentiality of such information”; (ii) “protect against any threats or hazards to the security or integrity of such information”; and (iii) “protect against unauthorized access to and acquisition of the information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates.” The following factors will determine the scale and scope of a covered entity’s cybersecurity program: “[i] [t]he size and complexity of the covered entity; [ii] the nature and scope of the activities of the covered entity; [iii] the sensitivity of the information to be protected; and [iv] the cost and availability of tools to improve information security and reduce vulnerabilities.”
P.A. 21-119 takes effect on October 1, 2021. If you have any questions regarding compliance with the above cybersecurity standards or development of a cybersecurity program that qualifies for the safe harbor in P.A. 21-119, please do not hesitate to contact Bill Roberts or Stephanie Gomes-Ganhão at Shipman.