Connecticut businesses and organizations that have been breached in a cyberattack could be protected from liability if they have adopted and implemented adequate cybersecurity protocols under a new Connecticut law. The new law has been designed to give businesses and organizations an incentive to enhance their digital defenses.
While the Connecticut legislature did not succeed in passing their own privacy law like those that were passed in other states, including California, Colorado, and Virginia, the legislature was able to pass the “Act Incentivizing The Adoption Of Cybersecurity Standards For Businesses” – the bill was drafted by the legislature’s Commerce Committee and passed unanimously in the House and Senate in June and will go into effect on October 1, 2021.
This law is one of many laws at both the state level and the national level that can have an impact on how MSSPs protect customer data. Like many data security laws that have been passed across many states, Connecticut’s Cybersecurity Standards Act requires businesses and organizations like MSSPs to implement cybersecurity programs that have reasonable controls.
Instead of outright defining what reasonable controls are by referencing requirements that were listed in laws enacted by other states, Connecticut’s Cybersecurity Standards Act requirements are more general, and reasonable controls are established by way of a safe harbor. This Cybersecurity Standards Act establishes an affirmative defense for a civil action brought against covered entities for a data breach of personal information and/or restricted information.
The bill states that when a data breach takes place, punitive damages cannot be assessed by the courts if the business or organization implemented a cybersecurity program that contained safeguards for protecting the information that was exposed in the data breach. The affirmative defense is made available when the action is brought under Connecticut law or in Connecticut state courts, as well as when the defendant’s business or organization can show that it complied with one of the industry-recognized cybersecurity frameworks.
What Cybersecurity Standards Are Referenced?
The cybersecurity standards that are referenced under this law include the following:
National Institute of Standards and Technology
- Framework for Improving Critical Infrastructure Cybersecurity
- Special Publication (SP) 800-171
- SP 800-53 and 800-53a
Federal Risk and Management Program
- FedRAMP Security Assessment Framework
Center for Internet Security
- Center for Internet Security Critical Security Controls for Effective Cyber Defense
International Organization for Standardization and the International Electrotechnical Commission
- ISO/IEC 27000 series
As with the implementation of any new law, there will be mixed opinions. While some may welcome the policy, others may feel the law will not have the type of impact it intends to. Anthony Buonaspina, BSEE, BSCS, CPACC, CEO and Founder of LI Tech Advisors, said:
I had no idea that Connecticut was taking such a proactive approach to encourage businesses and organizations to bolster their cybersecurity.
Connecticut is taking the stance of incentivizing companies over penalizing them. Basically, they can attract (and protect) more companies with honey than with vinegar and allow companies to avoid large fines by simply enhancing their security and meeting all the necessary state-mandated security guidelines.
I can see this as quickly causing a major uptick in companies reaching out to MSSP’s to fill in the gaps and plug the holes in their IT security infrastructure. My conversations with clients have always been that you NEED to improve your security to a certain level by building higher walls and wider moats. However, clients typically put off the expense and “hope for the best”.
This now gives added reasons as to why they need to act as soon as possible to implement these basic protections – since the expenses needed to bolster security can now be looked at as an investment similar to cybersecurity insurance. By simply paying a little money now, you can avoid a large expense if and when a security breach occurs.
You are also going to see the need, like with the WCAG ADA accessibility compliance, for an MSSP to “certify” that a company has met all the guidelines the state has put in place. I predict that many MSPs will pivot their business structure to become more of an MSSP. I believe that the future of MSPs is quickly becoming a “race to the bottom”, whereas MSSP’s are becoming a “race to the top”. I think this new type of “incentivizing businesses” approach will quickly become the standard for many states.
One online forum user stated, ”I can see exactly how this will end up. Companies will do the bare minimum to check all the boxes on the audit and then be free from all liability. If companies want to take risks and cut corners, then they should be held liable for the consequences.”
Another user stated, ”I’m not sure rewards are the right thing here. You implement security because you value it, not because someone promises to buy you a pony. Let businesses with poor security practices fail. Paves the way for secure/mature businesses to leverage security as an asset and differentiator.”
For many businesses and organizations, cybersecurity is often viewed as a cost center. Many do not believe data protection is a necessary cost of doing business. Connecticut hopes to provide incentives for businesses and organizations that do more to protect their data. There are also business owners and leaders across the globe who have indeed taken notice of the horrifying stories of cyberattacks, ransomware demands, and data breaches. The thought alone can certainly be intimidating. Business owners and leaders will always operate with the belief that they could be next.
If you are located in Connecticut or have business connections to the state of Connecticut, this may present a great opportunity to have some peace of mind with some enhanced rules and protection from the Connecticut government.
The new law will incentivize the right behavior as opposed to punishing and penalizing the victims, which is how things have been handled for many years. Will this change by the state of Connecticut start a trend? Will other states do the same?