As of October 1, 2021, Connecticut becomes the third state with a “safe harbor” law for data breach litigation (Public Act No. 21-119), joining Utah and Ohio . In short, Connecticut law prohibits state courts from assessing punitive damages in data breach litigation against a covered defendant who created, maintained, and adhered to a cybersecurity program that meets certain requirements. Cyber attacks are on the rise – think Colonial Pipeline, Kaseya, JBS and others – with ransomware attacks up 158% from 2019-2020 in North America.
The hope is that this law will provide covered entities of all sizes with an incentive to implement tighter controls over their information systems. According to Homeland Security Secretary Alejandro Mayorkas:
“In fact, small businesses account for about half to three quarters of ransomware victims
So what can “covered entities” in Connecticut do to at least try to protect themselves from punitive damages in the event of a data breach lawsuit?
First, it is important to note that the law applies to “covered entities” – defined as including a business that “accesses, stores, communicates or processes personal information or restricted information in or through one or more systems, networks or services located in or outside this state.
The definition of “personal information” follows the definition of the same term in the recently updated Connecticut Data Breach Notification Act. But, the law adds the term “restricted information” to the mix, defined to include:
“Any information about an individual, other than personal information or publicly available information, which, alone or in combination with other information, including personal information, can be used to distinguish or trace the identity of the individual or which are reasonably related or related to an individual, if the information is not encrypted, edited or modified by any method or technology in such a way that the information is unreadable and the violation of which is likely to result in a significant risk of identity theft or other fraud for a person or property.
PA 21-119 prohibits higher courts from assessing punitive damages against a defendant covered entity in any tort action brought under Connecticut law or in Connecticut courts alleging a failure to enforce reasonable cybersecurity controls that resulted in a data breach involving personal information or restricted information, provided that:
“[the covered entity] created, maintained and adhered to a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that complies with an industry recognized cybersecurity framework.
Examples of frameworks listed in the law include: NIST SP 800-171, NIST SP 800-53, and the Center for Internet Security Critical Security Controls for Effective Cyber Defense from the Center for Internet Security. Covered entities governed by federal or state laws, such as the security rule under the Health Insurance Portability and Accountability Act 1996 (HIPAA), can count on current version compliance of these regulatory frameworks. If these frameworks change, the covered entities have six months to confirm the changes.
In addition, the cybersecurity program should be designed to:
- protect the security and confidentiality of personal and restricted information;
- protect against any threat or danger to the security or integrity of this information; and
- protect against unauthorized access and acquisition of such information which would create a significant risk of identity theft or other fraud for the person to whom the information relates.
It is important to note that covered entities should consider how the framework they use covers the personal and restricted information they retain. For example, an entity or business partner covered by HIPAA relying solely on the HIPAA security rule could mean that its cybersecurity program only reaches “protected health information” as defined by HIPAA, but not personal and restricted information as defined in PA 21-119.
Connecticut law, however, allows the program to be shaped by several factors, including (i) the size and complexity of the entity covered; (ii) the nature and extent of the activities of the covered entity; (iii) the sensitivity of the information to be protected; and (iv) the cost and availability of tools to improve information security and reduce vulnerabilities.
This law, similar to the Utah and Ohio measures, encourages increased protection of personal data, while providing protection against certain claims for organizations facing data breach disputes. Creating, maintaining and complying with a robust data protection program is a critical step in risk management and legal compliance, and one that could provide protection against litigation following a data breach.