Connecticut 2021 2021 Regular Session

Connecticut House Bill HB06607 Comm Sub / Analysis

Filed 08/24/2021

                    O F F I C E O F L E G I S L A T I V E R E S E A R C H 
P U B L I C A C T S U M M A R Y 
 
  	Page 1 
PA 21-119—sHB 6607 
Commerce Committee 
Judiciary Committee 
 
AN ACT INCENTIVIZING THE ADOPTION OF CYBE RSECURITY 
STANDARDS FOR BUSINE SSES 
 
SUMMARY: This act prohibits the Superior Court from assessing punitive 
damages against a covered entity for a data breach of personal or restricted 
information if the covered entity meets certain cybersecurity requirements. The 
protection does not apply if the covered entity’s failure to implement reasonable 
cybersecurity controls resulted from gross negligence or willful or wanton 
conduct.  
Under the act, “covered entities” are businesses accessing, maintaining, 
communicating, or processing personal or restricted information in or through 
systems, networks, or services located inside or outside the state. 
The act’s provisions do not: 
1. affect or limit the process of granting certification in class actions; 
2. affect or limit existing statutory requirements for (a) state contractors that 
receive confidential information and (b) Connecticut businesses that 
maintain computerized personal information and suffer security breaches; 
or  
3. limit the authority of the attorney general or the Department of Consumer 
Protection commissioner to seek administrative, legal, or equitable relief 
allowed by law. 
EFFECTIVE DATE:  October 1, 2021 
 
PROTECTION AGAINST PUNITIVE DAMAGES  
 
Under the act, when a civil action alleges that a data breach resulted from a 
covered entity’s failure to implement reasonable cybersecurity controls, the court 
may not assess punitive damages if the covered entity created, maintained, and 
complied with a written cybersecurity program containing administrative, 
technical, and physical safeguards for protecting personal or restricted 
information. To qualify for this protection, these cybersecurity programs must (1) 
meet specified design requirements and (2) conform to an industry-recognized 
cybersecurity framework.  
 
CYBERSECURITY PROGRA M DESIGN REQUIREMENT S 
 
To qualify for the act’s protection against punitive damages, a covered entity’s 
cybersecurity program must be designed to protect the security and confidentiality 
of personal and restricted information. The program must specifically protect this  O L R P U B L I C A C T S U M M A R Y 
 	Page 2 of 4  
information against (1) threats or hazards to its security or integrity and (2) 
unauthorized access and acquisition that would cause material risk of identity 
theft or other fraud.  
The act requires that the scale and scope of a covered entity’s cybersecurity 
program be based on the (1) entity’s size and complexity, and the nature and 
scope of its activities; (2) sensitivity of the information to be protected; and (3) 
cost and availability of tools to improve information security and reduce 
vulnerabilities.  
 
INDUSTRY-RECOGNIZED CYBERSECU RITY FRAMEWORKS 
 
Under the act, an industry-recognized cybersecurity framework includes the 
most current version of: 
1. one or any combination of six specifically recognized frameworks (see 
table below);  
2. one of the following federal laws and regulations (for entities subject to 
them or regulated by the state or federal government): (a) the security 
requirements of the Health Insurance Portability and Accountability Act of 
1996, (b) Title V of the Gramm-Leach-Bliley Act of 1999, (c) the Federal 
Information Security Modernization Act of 2014, or (d) the security 
requirements of the Health Information Technology for Economic and 
Clinical Health Act; or   
3. the “Payment Card Industry Data Security Standard” in combination with 
one of the acceptable frameworks listed in the table below.  
 
Industry-Recognized Cybersecurity Frameworks  
Publisher  	Framework 
National Institute of Standards and 
Technology 
"Framework for Improving Critical 
Infrastructure Cybersecurity"  
Special Publication (SP) 800-171 
SP 800-53 and 800-53a  
Federal Risk and Management 
Program  
"FedRAMP Security Assessment 
Framework" 
Center for Internet Security "Center for Internet Security Critical 
Security Controls for Effective Cyber 
Defense" 
International Organization for 
Standardization and the International 
Electrotechnical Commission 
"ISO/IEC 27000-series"  
 
The act requires a covered entity to conform with revisions or amendments to 
these frameworks, laws, and regulations within six months after the revised 
document is published or the laws or regulations are amended, as applicable.  
 
DEFINITIONS  
  O L R P U B L I C A C T S U M M A R Y 
 	Page 3 of 4  
Businesses  
 
Under the act, a covered entity’s business type may include an individual or a 
sole proprietorship, partnership, firm, corporation, trust, limited liability company 
or partnership, joint stock company, joint ventures, associations, or other legal 
entities through which for-profit or non-profit business is conducted.  
 
Data Breach  
 
The act defines a “data breach” as unauthorized access to and acquisition of 
computerized data that (1) compromises the security or confidentiality of personal 
or restricted information owned by or licensed to a covered entity and (2) causes a 
material risk of identity theft or other fraud to a person or property (or reasonably 
is believed to have caused or will cause such risk). The definition specifically 
excludes: 
1. employees or agents of a covered entity acquiring personal or restricted 
information in good faith for the purposes of the entity, so long as the 
entity does not unlawfully use this information or subject it to further 
unauthorized disclosure, or  
2. the acquisition of this information pursuant to a (a) search warrant, (b) 
subpoena or other court order, or (c) regulatory state agency’s order or 
duty.  
 
Personal and Restricted Information  
 
Under the act, “personal information” means an individual’s first name or 
initial and last name in combination with one or more of the following: 
1. social security, taxpayer identification, Internal Revenue Service-issued 
identity protection personal identification, driver’s license, state 
identification card, passport, or military identification numbers, or other 
commonly used government-issued identification numbers;  
2. credit or debit card numbers; financial account numbers in combination 
with required security codes, access codes, or passwords that would permit 
access to these accounts;  
3. medical information about an individual’s medical history, mental or 
physical condition, or medical treatment or diagnosis by a health care 
professional;  
4. health insurance policy or subscriber identification numbers, or unique 
identifiers health insurers use to identify individuals; or 
5. biometric information that can identify an individual using his or her 
unique physical characteristics, including a fingerprint, voice print, or 
retina or iris image. 
Personal information also includes user names or e-mail addresses in 
combination with passwords or security questions and answers that would permit 
access to online accounts. However, the definition excludes publicly available 
information lawfully available to the general public from federal, state, or local  O L R P U B L I C A C T S U M M A R Y 
 	Page 4 of 4  
government records or widely distributed media.    
“Restricted information” means any unencrypted, unredacted, or unaltered 
information about an individual that, alone or in combination with other 
information (including personal information as described above), (1) can be used 
to distinguish or trace the individual’s identity or is reasonably linked or linkable 
to an individual and (2) is likely to result in a material risk of identity theft or 
other fraud to a person or property if breached. The definition excludes personal 
or publicly available information.