Researcher: SM Page 1 5/21/21
OLR Bill Analysis
sHB 6607 (as amended by House "A")*
AN ACT INCENTIVIZING THE ADOPTION OF CYBERSECURITY
STANDARDS FOR BUSINESSES.
SUMMARY
This bill prohibits the Superior Court from assessing punitive
damages against a covered entity (see below) for a data breach of
personal or restricted information if the covered entity meets specified
cybersecurity requirements.
Specifically, when a civil action alleges that a data breach resulted
from a covered entity’s failure to implement reasonable cybersecurity
controls, the court may not assess punitive damages if the covered
entity created, maintained, and complied with a written cybersecurity
program containing administrative, technical, and physical safeguards
for protecting personal or restricted information. To qualify for this
protection, these cybersecurity programs must (1) meet specified
design requirements and (2) conform to an industry-recognized
cybersecurity framework. However, the protection does not apply if
the covered entity’s failure to implement reasonable cybersecurity
controls resulted from gross negligence or willful or wanton conduct.
Under the bill, “covered entities” are businesses accessing,
maintaining, communicating, or processing personal or restricted
information in or through systems, networks, or services located inside
or outside the state.
The bill’s provisions do not:
1. affect or limit the process of granting certification in class
actions;
2. affect or limit existing statutory requirements for (a) state
contractors who receive confidential information and (b) 2021HB-06607-R01-BA.DOCX
Researcher: SM Page 2 5/21/21
Connecticut businesses that maintain computerized personal
information and suffer security breaches; or
3. limit the authority of the attorney general or the Department of
Consumer Protection commissioner to seek administrative,
legal, or equitable relief allowed by law.
*House Amendment “A” (1) changes the bill’s protection for
qualifying covered entities from an affirmative defense to a prohibition
on punitive damages and disqualifies covered entities from this
protection for certain conduct; (2) changes, to six months, the time
period by which a covered entity’s cybersecurity program must
conform with revisions or amendments to certain cybersecurity
frameworks, laws, and regulations; (3) explicitly exempts certain
statutes, executive powers, and legal processes from the bill’s
provisions; (4) makes changes to the definitions of personal and
restricted information; and (5) makes minor and technical changes.
EFFECTIVE DATE: October 1, 2021
CYBERSECURITY PROGRA M DESIGN REQUIREMENT S
To qualify for the bill’s protection against punitive damages, a
covered entity’s cybersecurity program must be designed to protect
the security and confidentiality of personal and restricted information.
The program must specifically protect this information against (1)
threats or hazards to its security or integrity and (2) unauthorized
access and acquisition that would cause material risk of identity theft
or other fraud.
The bill requires the scale and scope of a covered entity’s
cybersecurity program to be based on the:
1. entity’s size and complexity, and the nature and scope of its
activities;
2. sensitivity of the information to be protected; and
3. cost and availability of tools to improve information security 2021HB-06607-R01-BA.DOCX
Researcher: SM Page 3 5/21/21
and reduce vulnerabilities.
INDUSTRY-RECOGNIZED CYBERSECU RITY FRAMEWORKS
Under the bill, an industry-recognized cybersecurity framework
includes the most current version of:
1. one or any combination of six specifically recognized
frameworks (see Table 1),
2. one of four specified federal laws and regulations (for entities
regulated by any of these laws or the state or federal
government; see Table 2), or
3. the “Payment Card Industry Data Security Standard” in
combination with one of the acceptable frameworks mentioned
in Table 1 below.
Table 1: Industry-Recognized Cybersecurity Frameworks
Publisher Framework
National Institute of Standards and
Technology
"Framework for Improving Critical
Infrastructure Cybersecurity"
Special Publication (SP) 800-171
SP 800-53 and 800-53a
Federal Risk and Management
Program
"FedRAMP Security Assessment
Framework"
Center for Internet Security "Center for Internet Security Critical
Security Controls for Effective Cyber
Defense"
International Organization for
Standardization and the International
Electrotechnical Commission
"ISO/IEC 27000-series"
Table 2: Federal Cybersecurity Laws and Regulations
Citation Law or Regulation
P.L. 104-191;
45 C.F.R. 164
(Subpart C)
Security requirements of the Health Insurance Portability and
Accountability Act of 1996 2021HB-06607-R01-BA.DOCX
Researcher: SM Page 4 5/21/21
P.L. 106-102 Title V of the Gramm-Leach-Bliley Act of 1999
P.L. 113-283 Federal Information Security Modernization Act of 2014
45 C.F.R. 162 Security requirements of the Health Information Technology
for Economic and Clinical Health Act
The bill requires a covered entity to conform with revisions or
amendments to these frameworks, laws, and regulations within six
months after the revised document is published or the laws or
regulations are amended, as applicable.
DEFINITIONS
Businesses
Under the bill, a covered entity’s business type may include an
individual or a sole proprietorship, partnership, firm, corporation,
trust, limited liability company or partnership, joint stock company,
joint ventures, associations, or other legal entities through which for-
profit or non-profit business is conducted.
Data Breach
The bill defines a “data breach” as unauthorized access to and
acquisition of computerized data that (1) compromises the security or
confidentiality of personal or restricted information owned by or
licensed to a covered entity and (2) causes a material risk of identity
theft or other fraud to a person or property (or reasonably is believed
to have caused or will cause such risk). The definition specifically
excludes:
1. employees or agents of a covered entity acquiring personal or
restricted information in good faith for the purposes of the
entity, so long as the entity does not unlawfully use this
information or subject it to further unauthorized disclosure, or
2. the acquisition of this information pursuant to a (a) search
warrant, (b) subpoena or other court order, or (c) regulatory
state agency’s order or duty.
Personal and Restricted Information 2021HB-06607-R01-BA.DOCX
Researcher: SM Page 5 5/21/21
Under the bill, “personal information” means an individual’s first
name or initial and last name in combination with one or more of the
following:
1. social security, taxpayer identification, Internal Revenue
Service-issued identity protection personal identification,
driver’s license, state identification card, passport, or military
identification numbers, or other commonly used government-
issued identification numbers;
2. credit or debit card numbers; financial account numbers in
combination with required security codes, access codes, or
passwords that would permit access to these accounts;
3. medical information on an individual’s medical history, mental
or physical condition, or medical treatment or diagnosis by a
health care professional;
4. health insurance policy or subscriber identification numbers, or
unique identifiers health insurers use to identify individuals; or
5. biometric information that can identify an individual using their
unique physical characteristics, including a fingerprint, voice
print, or retina or iris image.
Personal information also includes user names or e-mail addresses
in combination with passwords or security questions and answers that
would permit access to online accounts. However, the definition
excludes publicly available information lawfully available to the
general public from federal, state, or local government records or
widely distributed media.
“Restricted information” means any unencrypted, unredacted, or
unaltered information about an individual that, alone or in
combination with other information (including personal information
as described above), (1) can be used to distinguish or trace the
individual’s identity or is reasonably linked or linkable to an
individual and (2) is likely to result in a material risk of identity theft 2021HB-06607-R01-BA.DOCX
Researcher: SM Page 6 5/21/21
or other fraud to a person or property if breached. The definition
excludes personal or publicly available information.
COMMITTEE ACTION
Commerce Committee
Joint Favorable Change of Reference - JUD
Yea 22 Nay 1 (03/22/2021)
Judiciary Committee
Joint Favorable Substitute
Yea 32 Nay 3 (04/09/2021)