O F F I C E O F L E G I S L A T I V E R E S E A R C H P U B L I C A C T S U M M A R Y Page 1 PA 21-119—sHB 6607 Commerce Committee Judiciary Committee AN ACT INCENTIVIZING THE ADOPTION OF CYBE RSECURITY STANDARDS FOR BUSINE SSES SUMMARY: This act prohibits the Superior Court from assessing punitive damages against a covered entity for a data breach of personal or restricted information if the covered entity meets certain cybersecurity requirements. The protection does not apply if the covered entity’s failure to implement reasonable cybersecurity controls resulted from gross negligence or willful or wanton conduct. Under the act, “covered entities” are businesses accessing, maintaining, communicating, or processing personal or restricted information in or through systems, networks, or services located inside or outside the state. The act’s provisions do not: 1. affect or limit the process of granting certification in class actions; 2. affect or limit existing statutory requirements for (a) state contractors that receive confidential information and (b) Connecticut businesses that maintain computerized personal information and suffer security breaches; or 3. limit the authority of the attorney general or the Department of Consumer Protection commissioner to seek administrative, legal, or equitable relief allowed by law. EFFECTIVE DATE: October 1, 2021 PROTECTION AGAINST PUNITIVE DAMAGES Under the act, when a civil action alleges that a data breach resulted from a covered entity’s failure to implement reasonable cybersecurity controls, the court may not assess punitive damages if the covered entity created, maintained, and complied with a written cybersecurity program containing administrative, technical, and physical safeguards for protecting personal or restricted information. To qualify for this protection, these cybersecurity programs must (1) meet specified design requirements and (2) conform to an industry-recognized cybersecurity framework. CYBERSECURITY PROGRA M DESIGN REQUIREMENT S To qualify for the act’s protection against punitive damages, a covered entity’s cybersecurity program must be designed to protect the security and confidentiality of personal and restricted information. The program must specifically protect this O L R P U B L I C A C T S U M M A R Y Page 2 of 4 information against (1) threats or hazards to its security or integrity and (2) unauthorized access and acquisition that would cause material risk of identity theft or other fraud. The act requires that the scale and scope of a covered entity’s cybersecurity program be based on the (1) entity’s size and complexity, and the nature and scope of its activities; (2) sensitivity of the information to be protected; and (3) cost and availability of tools to improve information security and reduce vulnerabilities. INDUSTRY-RECOGNIZED CYBERSECU RITY FRAMEWORKS Under the act, an industry-recognized cybersecurity framework includes the most current version of: 1. one or any combination of six specifically recognized frameworks (see table below); 2. one of the following federal laws and regulations (for entities subject to them or regulated by the state or federal government): (a) the security requirements of the Health Insurance Portability and Accountability Act of 1996, (b) Title V of the Gramm-Leach-Bliley Act of 1999, (c) the Federal Information Security Modernization Act of 2014, or (d) the security requirements of the Health Information Technology for Economic and Clinical Health Act; or 3. the “Payment Card Industry Data Security Standard” in combination with one of the acceptable frameworks listed in the table below. Industry-Recognized Cybersecurity Frameworks Publisher Framework National Institute of Standards and Technology "Framework for Improving Critical Infrastructure Cybersecurity" Special Publication (SP) 800-171 SP 800-53 and 800-53a Federal Risk and Management Program "FedRAMP Security Assessment Framework" Center for Internet Security "Center for Internet Security Critical Security Controls for Effective Cyber Defense" International Organization for Standardization and the International Electrotechnical Commission "ISO/IEC 27000-series" The act requires a covered entity to conform with revisions or amendments to these frameworks, laws, and regulations within six months after the revised document is published or the laws or regulations are amended, as applicable. DEFINITIONS O L R P U B L I C A C T S U M M A R Y Page 3 of 4 Businesses Under the act, a covered entity’s business type may include an individual or a sole proprietorship, partnership, firm, corporation, trust, limited liability company or partnership, joint stock company, joint ventures, associations, or other legal entities through which for-profit or non-profit business is conducted. Data Breach The act defines a “data breach” as unauthorized access to and acquisition of computerized data that (1) compromises the security or confidentiality of personal or restricted information owned by or licensed to a covered entity and (2) causes a material risk of identity theft or other fraud to a person or property (or reasonably is believed to have caused or will cause such risk). The definition specifically excludes: 1. employees or agents of a covered entity acquiring personal or restricted information in good faith for the purposes of the entity, so long as the entity does not unlawfully use this information or subject it to further unauthorized disclosure, or 2. the acquisition of this information pursuant to a (a) search warrant, (b) subpoena or other court order, or (c) regulatory state agency’s order or duty. Personal and Restricted Information Under the act, “personal information” means an individual’s first name or initial and last name in combination with one or more of the following: 1. social security, taxpayer identification, Internal Revenue Service-issued identity protection personal identification, driver’s license, state identification card, passport, or military identification numbers, or other commonly used government-issued identification numbers; 2. credit or debit card numbers; financial account numbers in combination with required security codes, access codes, or passwords that would permit access to these accounts; 3. medical information about an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; 4. health insurance policy or subscriber identification numbers, or unique identifiers health insurers use to identify individuals; or 5. biometric information that can identify an individual using his or her unique physical characteristics, including a fingerprint, voice print, or retina or iris image. Personal information also includes user names or e-mail addresses in combination with passwords or security questions and answers that would permit access to online accounts. However, the definition excludes publicly available information lawfully available to the general public from federal, state, or local O L R P U B L I C A C T S U M M A R Y Page 4 of 4 government records or widely distributed media. “Restricted information” means any unencrypted, unredacted, or unaltered information about an individual that, alone or in combination with other information (including personal information as described above), (1) can be used to distinguish or trace the individual’s identity or is reasonably linked or linkable to an individual and (2) is likely to result in a material risk of identity theft or other fraud to a person or property if breached. The definition excludes personal or publicly available information.