🔒After year of high-profile hacks, companies rushing to get in compliance with CT’s new cyber shield law

Companies across Connecticut are working to get their cybersecurity houses in order following the passage of a state law offering certain legal protections to businesses in the event of a data breach.

The law, signed by Gov. Ned Lamont in July and effective as of Oct. 1, bars state superior courts from assessing punitive damages against businesses in tort-based data breach cases as long as the business in question had adopted and adhered to a cybersecurity program based in an industry-recognized cybersecurity framework.

Business entities looking to qualify can pick from among several standards based on their size, industry, internal complexity and sensitivity, including plans developed by the National Institute of Standards and Technology, Federal Risk and Management Program, and Center of Internet Security, among others.

Lamont and other state officials have framed the legislation as a way to attract businesses to Connecticut and limit the financial exposure of companies that make a good-faith effort to protect their data at a time when sophisticated cyber attacks are targeting businesses in particularly sensitive sectors, such as energy, food and consumer electronics.

And it appears many firms are now looking to take advantage of the protection it affords.

“Over the last 60 days we’ve had quite a few people reach out looking to bring themselves up to par on this,” said Chris Wisneski, an IT security and assurance services manager at the Hartford office of accounting and advisory firm Whittlesey. “There’s been a big uptick in interest. And it’s coming from all industries, not just small businesses. It’s across the board.”

While each framework will have its own requirements, Wisneski said there are some basics that would be folded into any comprehensive cybersecurity strategy, including multi-factor authentication, implementation of security awareness programs, which train employees in how to recognize phishing campaigns and other threats, and development of an incident response plan for intrusions or service interruptions.

Companies will also likely have to get tighter control over personal identifiable information, he noted. The law defines personal identifiable information as not only basic identifiers such as Social Security or credit card numbers but biometric data, including fingerprints, voice prints and retina and iris images.

A rush to get in compliance with these standards — not impossibly rigorous but not always intuitive or easily understandable to those outside the tech world — has sent many firms looking for consultants who can help them through the process, including those at Whittlesey.

“A lot of them have been reaching out to cybersecurity professionals,” Wisneski said. “They just don’t have the time and capability to do it on their own, and so they go to a third party.”

‘Just good public policy’

In general, those who have been following the development of the cyber shield proposal over the last several months give the finished law high marks.

“It’s a great incentive,” said Linn Freedman, an attorney who chairs the data privacy and cybersecurity team at Hartford law firm Robinson+Cole. “It’s just good public policy to have a law in place that encourages companies to put cybersecurity measures in place. And it gives these companies something they can rely on — that if they take these steps, they can reduce their risk.”

The law could be especially helpful to small- and medium-sized businesses, Freedman added, since they may have less experience navigating cybersecurity issues than larger firms, and can benefit from the guidance offered by preexisting standards.

“What I like about it is they’re not reinventing the wheel,” said Tim Weber, director of security services for Rocky Hill-based IT company ADNET Technologies. “They’re taking these other compliance standards and allowing organizations to pick which one makes the most sense for them.”

Using the analogy of carrots and sticks, Weber said Connecticut’s method is less punitive than laws in other states.

“In most states, it’s the stick — you’ll do this or you’ll get in trouble,” he said. “But in Connecticut they’ve positioned this as a safe harbor, which is appealing to companies.”

“It’s very, very early,” Weber added. “But for now I’m cautiously optimistic.”

Still, companies should be clear on what the law does and doesn’t do, and as Freedman pointed out, the act does not grant complete protection from liability in data breach lawsuits.

The language of the legislation, for instance, says nothing about prohibiting aggrieved parties from seeking compensatory or injunctive relief, Freedman noted, and the protection from punitive damages does not apply if “failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.”

“The risk is that, if the company fails in a very extreme way, they wouldn’t be protected from punitive damages,” she said.

Even with those limitations, however, experts see the law as a positive way of pushing companies to take cyber threats seriously, especially at a time when attacks from hackers based in Russia and other Eastern European countries are temporarily crippling the operations of major corporations and extracting millions in cryptocurrency payments for the return or decryption of stolen data.

“It’s encouraging them to at least try to limit the effect of a security incident,” Freedman said.

Weber voiced a similar point, explaining that it will take a combination of incentives and policies to gradually strengthen the private sector’s security posture.

“The sophistication and pace of these attacks is only increasing,” he said. “And for every major incident you see in the media, there’s 100 other ones that don’t get publicized. So my view is that anything that motivates companies to get in compliance — even if it’s just a few, or one — is a good thing.”