Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

May 3, 2021

CT bill would offer employers a shield from cyber attack-related lawsuits


The COVID-19 pandemic has changed the way many people work, forcing more and more business to be done online.

That’s also increased cybersecurity risks for businesses of all sizes.

In fact, the FBI’s Internet Crime Complaint Center recently said it received a record number of cybersecurity complaints from Americans last year (791,790) with reported losses exceeding $4.1 billion. It was an increase of more than 300,000 complaints compared to 2019. Problems ranged from phishing scams to compromised emails, extortion and ransomware.

In response to those increased risks, state lawmakers are considering legislation that encourages and incentivizes companies to beef up their cybersecurity efforts.

Thomas Rohback

The bill, which already passed the Commerce and Judicial committees and has business community support, provides incentives for companies to adopt cybersecurity frameworks prescribed by nationally-recognized organizations like the National Institute of Standards and Technology (NIST). If passed, it would shield companies that enacted such policies from legal liability if their customers’ data is exposed in a cyberattack.

“The basic concept is we are facing an ever-increasing risk of cyberattacks, and the consequences are mind-boggling,” said Thomas Rohback, a Hartford-based partner at law firm Axinn, Veltrop & Harkrider LLP, where he chairs the litigation group. “There are some very well-organized, well-financed bad actors, and this is getting more sophisticated all the time, so it’s almost like an arms race.”

The proposal

State Rep. Caroline Simmons (D-Stamford), who co-chairs the legislature’s Commerce Committee, introduced the bill amid an increasing number of attempted and successful cyber breaches affecting the state, including a March hack on Applus Technologies, a Wisconsin-based company that makes software used by Connecticut’s Department of Motor Vehicles to track vehicle emissions.

Cybersecurity among businesses is an issue that’s long deserved more legislative attention, Simmons said. But legislators now need to prioritize the issue, as the number and scope of attacks continue to rise, she said.

Caroline Simmons

The proposed legislation addresses the issue of private-sector cyber breaches on two fronts, Simmons said. It instructs businesses on how they can avoid getting hacked in the first place, and provides some protection from lawsuits to responsible businesses that are breached.

“If businesses are able to reasonably conform with these standards, they’re very unlikely to see a breach,” Simmons said. “But this also gives them a little more protection.”

The bill lists several different established cybersecurity frameworks that experts recognize as effective. The NIST standards, for example, involve identifying what data could be vulnerable, safeguarding data and systems, and remaining vigilant of anomalies in computer systems to detect a cyberattack as quickly as possible.

If the bill passes, businesses that conform to one of the frameworks would be able to use that compliance as an affirmative defense in state courts. That means a company sued over a cyberattack in Connecticut courts could escape legal liability if it proves its cyber practices meet the standards the law prescribes.

It’s still up in the air where liability falls when data is exposed through a cyberattack, Rohback of Axinn said. Federal circuit judges have differed on whether plaintiffs have standing to sue for damages when their data is released, he said. While he isn’t sure whether or not the liability protection in the Connecticut bill would hold up in court, Rohback said he thinks legislators are right to focus on businesses’ cybersecurity practices.

“I think every business is … looking for something that says, ‘If I do these things I’ll have some type of protection,’ “ Rohback said.

Cyber ROI

The bill has support from the business community, said Ashley Zane, a lobbyist from the Connecticut Business & Industry Association (CBIA), because it provides companies with an appropriate return on investment for enacting effective cybersecurity regimes.

Ashley Zane

Liability protection should especially incentivize small businesses to invest in heightened cybersecurity measures, since they often have fewer resources to spend on it, Zane said.

Mark Torello of Hartford regional accounting firm Whittlesey & Hadley P.C. stands in strong support of the bill, he said. As head of technology at Whittlesey, Torello helps clients respond to cyberattacks, and said the measures outlined in the bill would prevent most of the breaches he sees.

Part of the bill would require third-party evaluation of those practices, Torello said, something he recommends companies of all sizes do on an annual basis.

“Usually folks ask me, ‘what’s one thing we can do to prevent us from getting breached?’… We always say the best thing to do is have your cybersecurity assessed by a professional,” Torello said.

Businesses pay anywhere from about $2,000 to $200,000 for an outside firm to assess their cybersecurity risks, depending on the company’s size, Torello said. Most small- to medium-sized businesses pay about $10,000 for such an assessment, he said.

Mark Torello

Simmons, the lawmaker, said she thinks the proposal sets high standards to qualify for the protection, and that government needs to start providing more specific guidance as to what responsible cybersecurity policies look like.

“Largely, cybersecurity is pretty unregulated today,” Simmons said, noting that there are no national legal standards. “We thought it’s important to take action on the state level.”

Sign up for Enews


Order a PDF