Researcher: SM Page 1 5/21/21 OLR Bill Analysis sHB 6607 (as amended by House "A")* AN ACT INCENTIVIZING THE ADOPTION OF CYBERSECURITY STANDARDS FOR BUSINESSES. SUMMARY This bill prohibits the Superior Court from assessing punitive damages against a covered entity (see below) for a data breach of personal or restricted information if the covered entity meets specified cybersecurity requirements. Specifically, when a civil action alleges that a data breach resulted from a covered entity’s failure to implement reasonable cybersecurity controls, the court may not assess punitive damages if the covered entity created, maintained, and complied with a written cybersecurity program containing administrative, technical, and physical safeguards for protecting personal or restricted information. To qualify for this protection, these cybersecurity programs must (1) meet specified design requirements and (2) conform to an industry-recognized cybersecurity framework. However, the protection does not apply if the covered entity’s failure to implement reasonable cybersecurity controls resulted from gross negligence or willful or wanton conduct. Under the bill, “covered entities” are businesses accessing, maintaining, communicating, or processing personal or restricted information in or through systems, networks, or services located inside or outside the state. The bill’s provisions do not: 1. affect or limit the process of granting certification in class actions; 2. affect or limit existing statutory requirements for (a) state contractors who receive confidential information and (b) 2021HB-06607-R01-BA.DOCX Researcher: SM Page 2 5/21/21 Connecticut businesses that maintain computerized personal information and suffer security breaches; or 3. limit the authority of the attorney general or the Department of Consumer Protection commissioner to seek administrative, legal, or equitable relief allowed by law. *House Amendment “A” (1) changes the bill’s protection for qualifying covered entities from an affirmative defense to a prohibition on punitive damages and disqualifies covered entities from this protection for certain conduct; (2) changes, to six months, the time period by which a covered entity’s cybersecurity program must conform with revisions or amendments to certain cybersecurity frameworks, laws, and regulations; (3) explicitly exempts certain statutes, executive powers, and legal processes from the bill’s provisions; (4) makes changes to the definitions of personal and restricted information; and (5) makes minor and technical changes. EFFECTIVE DATE: October 1, 2021 CYBERSECURITY PROGRA M DESIGN REQUIREMENT S To qualify for the bill’s protection against punitive damages, a covered entity’s cybersecurity program must be designed to protect the security and confidentiality of personal and restricted information. The program must specifically protect this information against (1) threats or hazards to its security or integrity and (2) unauthorized access and acquisition that would cause material risk of identity theft or other fraud. The bill requires the scale and scope of a covered entity’s cybersecurity program to be based on the: 1. entity’s size and complexity, and the nature and scope of its activities; 2. sensitivity of the information to be protected; and 3. cost and availability of tools to improve information security 2021HB-06607-R01-BA.DOCX Researcher: SM Page 3 5/21/21 and reduce vulnerabilities. INDUSTRY-RECOGNIZED CYBERSECU RITY FRAMEWORKS Under the bill, an industry-recognized cybersecurity framework includes the most current version of: 1. one or any combination of six specifically recognized frameworks (see Table 1), 2. one of four specified federal laws and regulations (for entities regulated by any of these laws or the state or federal government; see Table 2), or 3. the “Payment Card Industry Data Security Standard” in combination with one of the acceptable frameworks mentioned in Table 1 below. Table 1: Industry-Recognized Cybersecurity Frameworks Publisher Framework National Institute of Standards and Technology "Framework for Improving Critical Infrastructure Cybersecurity" Special Publication (SP) 800-171 SP 800-53 and 800-53a Federal Risk and Management Program "FedRAMP Security Assessment Framework" Center for Internet Security "Center for Internet Security Critical Security Controls for Effective Cyber Defense" International Organization for Standardization and the International Electrotechnical Commission "ISO/IEC 27000-series" Table 2: Federal Cybersecurity Laws and Regulations Citation Law or Regulation P.L. 104-191; 45 C.F.R. 164 (Subpart C) Security requirements of the Health Insurance Portability and Accountability Act of 1996 2021HB-06607-R01-BA.DOCX Researcher: SM Page 4 5/21/21 P.L. 106-102 Title V of the Gramm-Leach-Bliley Act of 1999 P.L. 113-283 Federal Information Security Modernization Act of 2014 45 C.F.R. 162 Security requirements of the Health Information Technology for Economic and Clinical Health Act The bill requires a covered entity to conform with revisions or amendments to these frameworks, laws, and regulations within six months after the revised document is published or the laws or regulations are amended, as applicable. DEFINITIONS Businesses Under the bill, a covered entity’s business type may include an individual or a sole proprietorship, partnership, firm, corporation, trust, limited liability company or partnership, joint stock company, joint ventures, associations, or other legal entities through which for- profit or non-profit business is conducted. Data Breach The bill defines a “data breach” as unauthorized access to and acquisition of computerized data that (1) compromises the security or confidentiality of personal or restricted information owned by or licensed to a covered entity and (2) causes a material risk of identity theft or other fraud to a person or property (or reasonably is believed to have caused or will cause such risk). The definition specifically excludes: 1. employees or agents of a covered entity acquiring personal or restricted information in good faith for the purposes of the entity, so long as the entity does not unlawfully use this information or subject it to further unauthorized disclosure, or 2. the acquisition of this information pursuant to a (a) search warrant, (b) subpoena or other court order, or (c) regulatory state agency’s order or duty. Personal and Restricted Information 2021HB-06607-R01-BA.DOCX Researcher: SM Page 5 5/21/21 Under the bill, “personal information” means an individual’s first name or initial and last name in combination with one or more of the following: 1. social security, taxpayer identification, Internal Revenue Service-issued identity protection personal identification, driver’s license, state identification card, passport, or military identification numbers, or other commonly used government- issued identification numbers; 2. credit or debit card numbers; financial account numbers in combination with required security codes, access codes, or passwords that would permit access to these accounts; 3. medical information on an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; 4. health insurance policy or subscriber identification numbers, or unique identifiers health insurers use to identify individuals; or 5. biometric information that can identify an individual using their unique physical characteristics, including a fingerprint, voice print, or retina or iris image. Personal information also includes user names or e-mail addresses in combination with passwords or security questions and answers that would permit access to online accounts. However, the definition excludes publicly available information lawfully available to the general public from federal, state, or local government records or widely distributed media. “Restricted information” means any unencrypted, unredacted, or unaltered information about an individual that, alone or in combination with other information (including personal information as described above), (1) can be used to distinguish or trace the individual’s identity or is reasonably linked or linkable to an individual and (2) is likely to result in a material risk of identity theft 2021HB-06607-R01-BA.DOCX Researcher: SM Page 6 5/21/21 or other fraud to a person or property if breached. The definition excludes personal or publicly available information. COMMITTEE ACTION Commerce Committee Joint Favorable Change of Reference - JUD Yea 22 Nay 1 (03/22/2021) Judiciary Committee Joint Favorable Substitute Yea 32 Nay 3 (04/09/2021)