Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

July 7, 2021

Act offering companies a shield from data breach lawsuits now law

Photo Illustration | Adobe Stock

A bill shielding Connecticut businesses from liability for data breaches as long as they adopt and maintain approved cybersecurity protocols is now law, having come into effect Oct. 1.

Gov. Ned Lamont in July signed HB 6607, legislation designed to incentivize companies to strengthen their network defenses with the promise of protection against certain lawsuits. Provided businesses adopt an industry-recognized cybersecurity framework, like those promulgated by the National Institute of Standards and Technology, they would not be ordered to pay punitive damages for a data breach resulting in the exposure of personal information.

Lamont has also pledged an $11 million investment to support the state’s enhanced cybersecurity efforts.

The bill came months after Lamont announced the launch of a year-long process of building a new information technology organization within state government designed to centralize the coordination of the state’s IT resources by the Department of Administrative Services.

That initiative included the creation of the state’s first Chief Information Security Officer, a role filled by Jeff Brown.

Backers in the General Assembly and from the state’s business community had framed the bill as a legal carrot to move companies closer to implementing comprehensive cybersecurity safeguards.

The issue has taken on renewed importance in the last few months, as criminals based mainly in Russia and Eastern Europe have extorted millions from U.S. companies for the safe return of scrambled or stolen records.

One recent attack, on Wisconsin-based Applus Technologies, stopped motor vehicle emissions testing in Connecticut and seven other states that use the company’s software to carry out the mandatory inspections. The service was disabled in late March and came back online one month later.

To qualify for legal protection under the new law, employers must adopt a cybersecurity framework from a reputable entity, such as the National Institute of Standards and Technology, the Federal Risk and Authorization Management Program or the Center for Internet Security, among others. Companies must keep up to date with changes and revisions to those programs, bringing their own plans into compliance within six months.

Sign up for Enews


Order a PDF