United States: Connecticut Expands Protection of Personal Information, Promotes Adoption of Cyber Security Standards for Businesses
To print this article, simply register or connect to Mondaq.com.
Beginning October 1, 2021, Connecticut businesses will benefit from legal protection against the assessment of punitive damages in cases that allege breaches of personal and confidential information protection, provided that reasonable cybersecurity are in place. Public Law 21-119, enacted by the Connecticut Legislature on July 6, 2021, aims to encourage greater adoption of cybersecurity standards by state enterprises by providing guidance on reasonable cybersecurity controls and protecting individuals. companies that implement these controls.
The new law, which applies only to tort actions brought under Connecticut law in Connecticut state court, serves to protect businesses that comply with certain requirements. Businesses wishing to take advantage of the protections offered by the law must implement a formal, written cybersecurity program that contains “administrative, technical and physical safeguards for the protection of personal or restricted information.” The program must also adhere to an industry-recognized cybersecurity framework enumerated in law, such as those promulgated by the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS) and the Payment Card. Industry (PCI) Security Standards Council; where applicable, cybersecurity regulations established by HIPAA, HITECH, FISMA or GLBA also apply.
Public Law 21-119 follows on from Public Law 21-59, passed earlier this summer. Public Law 21-59 amended Connecticut’s existing data breach and cybersecurity law, expanding the definition of “personal information” subject to legal protection, shortening the timeframe for notification of data breaches, and protecting from disclosure public certain information provided in response to Connecticut abuse. investigation of business practices resulting from a data breach.
Connecticut has adapted its definitions to consumer expectations by expanding the definition of “personal information” to include data such as:
- Medical, health insurance policy or subscriber information
- Individual tax identification numbers
- Passport numbers or other government issued identification numbers used to verify identity
- Biometric information and usernames or email addresses, in combination with a password or security questions and answers that would provide access to an online account.
Data breach notifications
Businesses should also be made aware of new legal requirements if they experience a data breach. The deadline for reporting data breaches has been reduced from 90 days to 60 days. Additionally, if a business is unable to confirm identities and notify all users affected by a data breach, it must provide advance notice to all. potentially people affected within 60 days. The law also includes a unique requirement if a business believes the breach included login credentials: notice can be provided in electronic form as long as it orders the resident to quickly change any password or security questions / answers, or take other appropriate measures to protect the relevant online account.
Connecticut’s updated privacy and cybersecurity laws seek to strike a balance between protecting individuals and providing businesses with compliance and risk management advice, including a carrot for businesses in limiting the Potential liability for punitive damages if they comply with legal requirements.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR POSTS ON: US Technology