Connecticut Governor Ned Lamont approved two privacy and cybersecurity laws which take effect on October 1, 2021. Connecticut now offers protection to businesses that implement cybersecurity safeguards from punitive damages in tort lawsuits, while strengthening the state’s reporting requirements in the event of a data breach.
Incentivizing cybersecurity standards
On July 6, 2021, Governor Lamont signed “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (Public Act 21-119), which helps protect businesses from punitive damages when a plaintiff brings a lawsuit claiming the business failed to implement reasonable cybersecurity controls that resulted in a data breach.
Under the Act, if a covered entity creates, maintains, and complies with a written cybersecurity program for the protection of personal or restricted information that meets industry-recognized frameworks, then the covered entity can take advantage of the protection from punitive damages. A “covered entity” is “a business that accesses, maintains, communicates or processes personal information or restricted information in or through one or more systems, networks or services located in or outside” Connecticut.
A cybersecurity program conforms with industry-recognized cybersecurity frameworks if it:
- meets current versions of certain standards, such as NIST 800-171, and conforms to new revisions to the publications;
- is subject to the Health Insurance Portability and Accountability Act of 1996, Gramm-Leach-Bliley Act of 1999, or other law imposing a security framework and the covered entity conforms to the current version of the requirements; or
- complies with the current version of the Payment Card Industry Data Security Standard and one of the current versions of “another applicable industry recognized cybersecurity framework[.]”
The cybersecurity program should be designed to protect the security and confidentiality of the information, protect against threats or hazards to the security or integrity of the information, and protect against unauthorized access to and acquisition of the information that would “result in a material risk of identity theft or other fraud to the individual to whom the information relates.” The Act sets out factors for the scale and scope of a covered entity’s cybersecurity program.
However, the Act’s protection against punitive damages does not apply if the “failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.” Importantly, the Act specifically cannot be “construed to affect or limit the process by which certification is granted in class actions founded in tort.”
Strengthening Connecticut’s data breach reporting requirements
Last month, Governor Lamont approved “An Act Concerning Data Privacy Breaches” (Public Act 21-59), which updates Connecticut’s data breach law. It creates additional categories of “personal information” that will now be covered under Connecticut’s data breach law. Under Connecticut law, a data breach must be reported when there is unauthorized access to, or acquisition of, electronic data containing unsecured “personal information.” PA 21-59 expands the definition of personal to now include the following:
- taxpayer identification numbers,
- passport numbers,
- military identification numbers,
- identity protection personal identification numbers issued by the IRS,
- certain medical information,
- certain biometric information used to authenticate or ascertain the individual’s identity (e.g., fingerprints, voice prints, retina images),
- health insurance policy numbers or other unique identifier used by a health insurer, and
- user names or e-mail addresses, in combination with a password or security Q&As that would permit access to an online account.
PA 21-59 also updated a business’s reporting requirements and shortened the notice period after a breach from ninety to sixty days. Businesses must also “proceed in good faith” and “as expediently as possible” to notify any additional Connecticut residents “whose personal information was breached or reasonably believed to have been breached following sixty days after the discovery of such breach.”
In the event of a breach of login credentials, the notice should direct the recipient to promptly change any password or security Q&A or to take other steps to protect their online accounts. The notice may be provided in electronic form, but it can’t be sent to the e-mail account that was breached or reasonably believed to have been breached if receipt of such notification can’t be reasonably verified.
PA 21-59 also clarifies that if an entity is subject to and in compliance with HIPAA and HITECH, then it will be deemed in compliance with the Act so long as it provides notice to the Connecticut Attorney General no later than when notice is provided pursuant to HITECH, if notice to the Attorney General would otherwise be required.
Finally, PA 21-59 clarifies that documents, materials, and information provided in response to an investigative demand are exempt from public disclosure. However, the Connecticut Attorney General can make them available to third parties in furtherance of such an investigation.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale and Rachel Harris are associates in Thompson Coburn’s Business Litigation group.