LCO \\PRDFS1\HCOUSERS\BARRYJN\WS\2021HB-06607-R02- HB.docx 1 of 5 General Assembly Substitute Bill No. 6607 January Session, 2021 AN ACT INCENTIVIZING THE ADOPTION OF CYB ERSECURITY STANDARDS FOR BUSINE SSES. Be it enacted by the Senate and House of Representatives in General Assembly convened: Section 1. (NEW) (Effective October 1, 2021) (a) As used in this section: 1 (1) "Business" means any individual or sole proprietorship, 2 partnership, firm, corporation, trust, limited liability company, limited 3 liability partnership, joint stock company, joint venture, association or 4 other legal entity through which business for profit or not-for-profit is 5 conducted; 6 (2) "Covered entity" means a business that accesses, maintains, 7 communicates or processes personal information or restricted 8 information in or through one or more systems, networks or services 9 located in or outside this state; 10 (3) "Data breach" means unauthorized access to and acquisition of 11 computerized data that compromises the security or confidentiality of 12 personal information or restricted information owned by or licensed to 13 a covered entity and that causes, reasonably is believed to have caused 14 or reasonably is believed will cause a material risk of identity theft or 15 other fraud to a person or property. "Data breach" does not include (A) 16 good faith acquisition of personal information or restricted information 17 Substitute Bill No. 6607 LCO {\\PRDFS1\HCOUSERS\BARRYJN\WS\2021HB-06607- R02-HB.docx } 2 of 5 by the covered entity's employee or agent for the purposes of the 18 covered entity, provided the personal information or restricted 19 information is not used for an unlawful purpose or subject to further 20 unauthorized disclosure, or (B) acquisition of personal information or 21 restricted information pursuant to a search warrant, subpoena or other 22 court order, or pursuant to a subpoena, order or duty of a regulatory 23 state agency; 24 (4) "Personal information" means an individual's name, consisting of 25 the individual's first name or first initial and last name, in combination 26 with and linked to any one or more of the following data elements, when 27 the data elements are not encrypted, redacted or altered by any method 28 or technology in such a manner that the data elements are unreadable: 29 (A) Social security number; (B) driver's license number or state 30 identification number; or (C) account number or credit or debit card 31 number, in combination with and linked to any required security code, 32 access code or password that would permit access to an individual's 33 financial account; and 34 (5) "Restricted information" means any information about an 35 individual, other than personal information, that, alone or in 36 combination with other information, including personal information, 37 can be used to distinguish or trace the individual's identity or that is 38 linked or linkable to an individual, if the information is not encrypted, 39 redacted or altered by any method or technology in such a manner that 40 the information is unreadable, and the breach of which is likely to result 41 in a material risk of identity theft or other fraud to a person or property. 42 (b) In any cause of action founded in tort that is brought under the 43 laws of this state or in the courts of this state and that alleges that the 44 failure to implement reasonable cybersecurity controls resulted in a data 45 breach concerning personal information or restricted information, it 46 shall be an affirmative defense that a covered entity created, maintained 47 and complied with a written cybersecurity program that contains 48 administrative, technical and physical safeguards for the protection of 49 personal or restricted information and that conforms to an industry 50 Substitute Bill No. 6607 LCO {\\PRDFS1\HCOUSERS\BARRYJN\WS\2021HB-06607- R02-HB.docx } 3 of 5 recognized cybersecurity framework, as described in subsection (c) of 51 this section and that such covered entity designed its cybersecurity 52 program in accordance with the provisions of subsection (d) of this 53 section. 54 (c) A covered entity's cybersecurity program, as described in 55 subsection (b) of this section, conforms to an industry recognized 56 cybersecurity framework if: 57 (1) (A) The cybersecurity program conforms to the current version of 58 or any combination of the current versions of: 59 (i) The "Framework for Improving Critical Infrastructure 60 Cybersecurity" published by the National Institute of Standards and 61 Technology; 62 (ii) The National Institute of Standards and Technology's special 63 publication 800-171; 64 (iii) The National Institute of Standards and Technology's special 65 publications 800-53 and 800-53a; 66 (iv) The Federal Risk and Management Program's "FedRAMP 67 Security Assessment Framework"; 68 (v) The Center for Internet Security's "Center for Internet Security 69 Critical Security Controls for Effective Cyber Defense"; or 70 (vi) The "ISO/IEC 27000-series" information security standards 71 published by the International Organization for Standardization and the 72 International Electrotechnical Commission. 73 (B) When a revision to a document listed in subparagraph (A) of this 74 section is published, a covered entity whose cybersecurity program 75 conforms to a prior version of said document, such covered entity shall 76 conform to such revision not later than sixty days after the publication 77 date of such revision. 78 Substitute Bill No. 6607 LCO {\\PRDFS1\HCOUSERS\BARRYJN\WS\2021HB-06607- R02-HB.docx } 4 of 5 (2) (A) The covered entity is regulated by the state or the federal 79 government or is otherwise subject to the requirements of any of the 80 laws or regulations identified in subparagraph (A)(i) to (A)(iv), 81 inclusive, of this subdivision, and such covered entity's cybersecurity 82 program conforms to the current version of: 83 (i) The security requirements of the Health Insurance Portability and 84 Accountability Act of 1996, P.L. 104-191, as amended from time to time, 85 as set forth in 45 CFR 164, Subpart C, as amended from time to time; 86 (ii) Title V of the Gramm-Leach-Bliley Act of 1999, P.L. 106-102, as 87 amended from time to time; 88 (iii) The Federal Information Security Modernization Act of 2014, P.L. 89 113-283, as amended from time to time; 90 (iv) The security requirements of the Health Information Technology 91 for Economic and Clinical Health Act, as amended from time to time, as 92 set forth in 45 CFR 162, as amended from time to time. 93 (B) If any of the laws or regulations identified in subparagraph (A)(i) 94 to (A)(iv), inclusive, of this subdivision are amended, a covered entity 95 whose cybersecurity program conforms to a prior version of said laws 96 or regulations, such covered entity shall conform to such amended law 97 or regulation not later than sixty days after the date of such amendment. 98 (3) (A) The cybersecurity program complies with the current version 99 of the "Payment Card Industry Data Security Standard" and the current 100 version of another applicable industry recognized cybersecurity 101 framework described in subparagraph (A) of subdivision (1) of this 102 subsection. 103 (B) When a revision to the "Payment Card Industry Data Security 104 Standard" is published, a covered entity whose cybersecurity program 105 conforms to a prior version of said document, such covered entity shall 106 conform to such revision not later than one year after the publication 107 date of such revision. 108 Substitute Bill No. 6607 LCO {\\PRDFS1\HCOUSERS\BARRYJN\WS\2021HB-06607- R02-HB.docx } 5 of 5 (d) (1) A covered entity's cybersecurity program shall be designed to 109 do the following with respect to personal and restricted information: (A) 110 Protect the security and confidentiality of such information; (B) protect 111 against any anticipated threats or hazards to the security or integrity of 112 such information; and (C) protect against unauthorized access to and 113 acquisition of the information that is likely to result in a material risk of 114 identity theft or other fraud to the individual to whom the information 115 relates. 116 (2) The scale and scope of a covered entity's cybersecurity program 117 shall be based on the following factors: (A) The size and complexity of 118 the covered entity; (B) the nature and scope of the activities of the 119 covered entity; (C) the sensitivity of the information to be protected; (D) 120 the cost and availability of tools to improve information security and 121 reduce vulnerabilities; and (E) the resources available to the covered 122 entity. 123 This act shall take effect as follows and shall amend the following sections: Section 1 October 1, 2021 New section Statement of Legislative Commissioners: Throughout the bill, the word "reasonably" was deleted for consistency with other provisions of the Section. CE Joint Favorable C/R JUD JUD Joint Favorable Subst.