Connecticut 2021 2021 Regular Session

Connecticut House Bill HB06607 Introduced / Bill

Filed 03/09/2021

                        
 
 
LCO No. 4480  	1 of 5 
 
General Assembly  Raised Bill No. 6607  
January Session, 2021 
LCO No. 4480 
 
 
Referred to Committee on COMMERCE  
 
 
Introduced by:  
(CE)  
 
 
 
 
AN ACT INCENTIVIZING THE ADOPTION OF CYB ERSECURITY 
STANDARDS FOR BUSINE SSES. 
Be it enacted by the Senate and House of Representatives in General 
Assembly convened: 
 
Section 1. (NEW) (Effective October 1, 2021) (a) As used in this section: 1 
(1) "Business" means any individual or sole proprietorship, 2 
partnership, firm, corporation, trust, limited liability company, limited 3 
liability partnership, joint stock company, joint venture, association or 4 
other legal entity through which business for profit or not-for-profit is 5 
conducted; 6 
(2) "Covered entity" means a business that accesses, maintains, 7 
communicates or processes personal information or restricted 8 
information in or through one or more systems, networks or services 9 
located in or outside this state; 10 
(3) "Data breach" means unauthorized access to and acquisition of 11 
computerized data that compromises the security or confidentiality of 12 
personal information or restricted information owned by or licensed to 13 
a covered entity and that causes, reasonably is believed to have caused 14  Raised Bill No.  6607 
 
 
 
LCO No. 4480   	2 of 5 
 
or reasonably is believed will cause a material risk of identity theft or 15 
other fraud to a person or property. "Data breach" does not include (A) 16 
good faith acquisition of personal information or restricted information 17 
by the covered entity's employee or agent for the purposes of the 18 
covered entity, provided the personal information or restricted 19 
information is not used for an unlawful purpose or subject to further 20 
unauthorized disclosure, or (B) acquisition of personal information or 21 
restricted information pursuant to a search warrant, subpoena or other 22 
court order, or pursuant to a subpoena, order or duty of a regulatory 23 
state agency; 24 
(4) "Personal information" means an individual's name, consisting of 25 
the individual's first name or first initial and last name, in combination 26 
with and linked to any one or more of the following data elements, when 27 
the data elements are not encrypted, redacted or altered by any method 28 
or technology in such a manner that the data elements are unreadable: 29 
(A) Social security number; (B) driver's license number or state 30 
identification number; or (C) account number or credit or debit card 31 
number, in combination with and linked to any required security code, 32 
access code or password that would permit access to an individual's 33 
financial account; and 34 
(5) "Restricted information" means any information about an 35 
individual, other than personal information, that, alone or in 36 
combination with other information, including personal information, 37 
can be used to distinguish or trace the individual's identity or that is 38 
linked or linkable to an individual, if the information is not encrypted, 39 
redacted or altered by any method or technology in such a manner that 40 
the information is unreadable, and the breach of which is likely to result 41 
in a material risk of identity theft or other fraud to a person or property. 42 
(b) In any cause of action founded in tort that is brought under the 43 
laws of this state or in the courts of this state and that alleges that the 44 
failure to implement reasonable cybersecurity controls resulted in a data 45 
breach concerning personal information or restricted information, it 46 
shall be an affirmative defense that a covered entity created, maintained 47  Raised Bill No.  6607 
 
 
 
LCO No. 4480   	3 of 5 
 
and complied with a written cybersecurity program that contains 48 
administrative, technical and physical safeguards for the protection of 49 
personal or restricted information and that reasonably conforms to an 50 
industry recognized cybersecurity framework, as described in 51 
subsection (c) of this section and that such covered entity designed its 52 
cybersecurity program in accordance with the provisions of subsection 53 
(d) of this section. 54 
(c) A covered entity's cybersecurity program, as described in 55 
subsection (b) of this section, reasonably conforms to an industry 56 
recognized cybersecurity framework if: 57 
(1) (A) The cybersecurity program reasonably conforms to the current 58 
version of or any combination of the current versions of: 59 
(i) The "Framework for Improving Critical Infrastructure 60 
Cybersecurity" published by the National Institute of Standards and 61 
Technology; 62 
(ii) The National Institute of Standards and Technology's special 63 
publication 800-171; 64 
(iii) The National Institute of Standards and Technology's special 65 
publications 800-53 and 800-53a; 66 
(iv) The Federal Risk and Management Program's "FedRAMP 67 
Security Assessment Framework"; 68 
(v) The Center for Internet Security's "Center for Internet Security 69 
Critical Security Controls for Effective Cyber Defense"; or 70 
(vi) The "ISO/IEC 27000-series" information security standards 71 
published by the International Organization for Standardization and the 72 
International Electrotechnical Commission. 73 
(B) When a revision to a document listed in subparagraph (A) of this 74 
section is published, a covered entity whose cybersecurity program 75 
reasonably conforms to a prior version of said document, such covered 76  Raised Bill No.  6607 
 
 
 
LCO No. 4480   	4 of 5 
 
entity shall reasonably conform to such revision not later than one year 77 
after the publication date of such revision. 78 
(2) (A) The covered entity is regulated by the state or the federal 79 
government or is otherwise subject to the requirements of any of the 80 
laws or regulations identified in subparagraph (A)(i) to (A)(iv), 81 
inclusive, of this subdivision, and such covered entity's cybersecurity 82 
program reasonably conforms to the current version of: 83 
(i) The security requirements of the Health Insurance Portability and 84 
Accountability Act of 1996, P.L. 104-191, as amended from time to time, 85 
as set forth in 45 CFR 164, Subpart C, as amended from time to time; 86 
(ii) Title V of the Gramm-Leach-Bliley Act of 1999, P.L. 106-102, as 87 
amended from time to time; 88 
(iii) The Federal Information Security Modernization Act of 2014, P.L. 89 
113-283, as amended from time to time; 90 
(iv) The security requirements of the Health Information Technology 91 
for Economic and Clinical Health Act, as amended from time to time, as 92 
set forth in 45 CFR 162, as amended from time to time. 93 
(B) If any of the laws or regulations identified in subparagraph (A)(i) 94 
to (A)(iv), inclusive, of this subdivision are amended, a covered entity 95 
whose cybersecurity program reasonably conforms to a prior version of 96 
said laws or regulations, such covered entity shall reasonably conform 97 
to such amended law or regulation not later than one year after the date 98 
of such amendment. 99 
(3) (A) The cybersecurity program reasonably complies with the 100 
current version of the "Payment Card Industry Data Security Standard" 101 
and the current version of another applicable industry recognized 102 
cybersecurity framework described in subparagraph (A) of subdivision 103 
(1) of this subsection. 104 
(B) When a revision to the "Payment Card Industry Data Security 105 
Standard" is published, a covered entity whose cybersecurity program 106  Raised Bill No.  6607 
 
 
 
LCO No. 4480   	5 of 5 
 
reasonably conforms to a prior version of said document, such covered 107 
entity shall reasonably conform to such revision not later than one year 108 
after the publication date of such revision. 109 
(d) (1) A covered entity's cybersecurity program shall be designed to 110 
do the following with respect to personal and restricted information: (A) 111 
Protect the security and confidentiality of such information; (B) protect 112 
against any anticipated threats or hazards to the security or integrity of 113 
such information; and (C) protect against unauthorized access to and 114 
acquisition of the information that is likely to result in a material risk of 115 
identity theft or other fraud to the individual to whom the information 116 
relates. 117 
(2) The scale and scope of a covered entity's cybersecurity program 118 
shall be based on the following factors: (A) The size and complexity of 119 
the covered entity; (B) the nature and scope of the activities of the 120 
covered entity; (C) the sensitivity of the information to be protected; (D) 121 
the cost and availability of tools to improve information security and 122 
reduce vulnerabilities; and (E) the resources available to the covered 123 
entity. 124 
This act shall take effect as follows and shall amend the following 
sections: 
 
Section 1 October 1, 2021 New section 
 
Statement of Purpose:   
To incentivize the adoption of cybersecurity standards for businesses by 
allowing businesses that adopt certain cybersecurity framework to 
plead an affirmative defense to any cause of action that alleges that a 
failure to implement reasonable cybersecurity controls resulted in a data 
breach concerning personal or restricted information. 
[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline, except 
that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is not 
underlined.]