A bill shielding Connecticut businesses from liability for data breaches as long as they adopt and maintain approved cybersecurity protocols is now law.
Gov. Ned Lamont on Tuesday signed HB 6607, legislation designed to incentivize companies to strengthen their network defenses with the promise of protection against certain lawsuits. Provided businesses adopt an industry-recognized cybersecurity framework, like those promulgated by the National Institute of Standards and Technology, they would not be ordered to pay punitive damages for a data breach resulting in the exposure of personal information.
Backers in the General Assembly and from the state’s business community had framed the bill as a legal carrot to move companies closer to implementing comprehensive cybersecurity safeguards.
The issue has taken on renewed importance in the last few months, as criminals based mainly in Russia and Eastern Europe have extorted millions from U.S. companies for the safe return of scrambled or stolen records.
One recent attack, on Wisconsin-based Applus Technologies, stopped motor vehicle emissions testing in Connecticut and seven other states that use the company’s software to carry out the mandatory inspections. The service was disabled in late March and came back online one month later.
To qualify for legal protection under the new law, employers must adopt a cybersecurity framework from a reputable entity, such as the National Institute of Standards and Technology, the Federal Risk and Authorization Management Program or the Center for Internet Security, among others. Companies must keep up to date with changes and revisions to those programs, bringing their own plans into compliance within six months.
