CT
Connecticut House Bill HB06607

Connecticut 2021 Regular Session

Connecticut House Bill HB06607 Compare Versions

OldNewDifferences
1+
2+
3+LCO \\PRDFS1\HCOUSERS\BARRYJN\WS\2021HB-06607-R02-
4+HB.docx
5+1 of 5
6+
7+General Assembly Substitute Bill No. 6607
8+January Session, 2021
19
210
311
4-Substitute House Bill No. 6607
5-
6-Public Act No. 21-119
712
813
914 AN ACT INCENTIVIZING THE ADOPTION OF CYB ERSECURITY
1015 STANDARDS FOR BUSINE SSES.
1116 Be it enacted by the Senate and House of Representatives in General
1217 Assembly convened:
1318
14-Section 1. (NEW) (Effective October 1, 2021) (a) As used in this section:
15-(1) "Business" means any individual or sole proprietorship,
16-partnership, firm, corporation, trust, limited liability company, limited
17-liability partnership, joint stock company, joint venture, association or
18-other legal entity through which business for profit or not-for-profit is
19-conducted;
20-(2) "Covered entity" means a business that accesses, maintains,
21-communicates or processes personal information or restricted
22-information in or through one or more systems, networks or services
23-located in or outside this state;
24-(3) "Data breach" means unauthorized access to and acquisition of
25-computerized data that compromises the security or confidentiality of
26-personal information or restricted information owned by or licensed to
27-a covered entity and that causes, reasonably is believed to have caused
28-or reasonably is believed will cause a material risk of identity theft or
29-other fraud to a person or property. "Data breach" does not include (A)
30-good faith acquisition of personal information or restricted information Substitute House Bill No. 6607
19+Section 1. (NEW) (Effective October 1, 2021) (a) As used in this section: 1
20+(1) "Business" means any individual or sole proprietorship, 2
21+partnership, firm, corporation, trust, limited liability company, limited 3
22+liability partnership, joint stock company, joint venture, association or 4
23+other legal entity through which business for profit or not-for-profit is 5
24+conducted; 6
25+(2) "Covered entity" means a business that accesses, maintains, 7
26+communicates or processes personal information or restricted 8
27+information in or through one or more systems, networks or services 9
28+located in or outside this state; 10
29+(3) "Data breach" means unauthorized access to and acquisition of 11
30+computerized data that compromises the security or confidentiality of 12
31+personal information or restricted information owned by or licensed to 13
32+a covered entity and that causes, reasonably is believed to have caused 14
33+or reasonably is believed will cause a material risk of identity theft or 15
34+other fraud to a person or property. "Data breach" does not include (A) 16
35+good faith acquisition of personal information or restricted information 17 Substitute Bill No. 6607
3136
32-Public Act No. 21-119 2 of 6
3337
34-by the covered entity's employee or agent for the purposes of the
35-covered entity, provided the personal information or restricted
36-information is not used for an unlawful purpose or subject to further
37-unauthorized disclosure, or (B) acquisition of personal information or
38-restricted information pursuant to a search warrant, subpoena or other
39-court order, or pursuant to a subpoena, order or duty of a regulatory
40-state agency;
41-(4) "Personal information" means an individual's (A) first name or
42-first initial and last name in combination with any one, or more, of the
43-following data: (i) Social Security number; (ii) taxpayer identification
44-number; (iii) identity protection personal identification number issued
45-by the Internal Revenue Service; (iv) driver's license number, state
46-identification card number, passport number, military identification
47-number or other identification number issued by the government that is
48-commonly used to verify identity; (v) credit or debit card number; (vi)
49-financial account number in combination with any required security
50-code, access code or password that would permit access to such
51-financial account; (vii) medical information regarding an individual's
52-medical history, mental or physical condition, or medical treatment or
53-diagnosis by a health care professional; (viii) health insurance policy
54-number or subscriber identification number, or any unique identifier
55-used by a health insurer to identify the individual; or (ix) biometric
56-information consisting of data generated by electronic measurements of
57-an individual's unique physical characteristics used to authenticate or
58-ascertain the individual's identity, such as a fingerprint, voice print,
59-retina or iris image; or (B) user name or electronic mail address, in
60-combination with a password or security question and answer that
61-would permit access to an online account. "Personal information" does
62-not include publicly available information that is lawfully made
63-available to the general public from federal, state or local government
64-records or widely distributed media; and Substitute House Bill No. 6607
38+LCO {\\PRDFS1\HCOUSERS\BARRYJN\WS\2021HB-06607-
39+R02-HB.docx }
40+2 of 5
6541
66-Public Act No. 21-119 3 of 6
42+by the covered entity's employee or agent for the purposes of the 18
43+covered entity, provided the personal information or restricted 19
44+information is not used for an unlawful purpose or subject to further 20
45+unauthorized disclosure, or (B) acquisition of personal information or 21
46+restricted information pursuant to a search warrant, subpoena or other 22
47+court order, or pursuant to a subpoena, order or duty of a regulatory 23
48+state agency; 24
49+(4) "Personal information" means an individual's name, consisting of 25
50+the individual's first name or first initial and last name, in combination 26
51+with and linked to any one or more of the following data elements, when 27
52+the data elements are not encrypted, redacted or altered by any method 28
53+or technology in such a manner that the data elements are unreadable: 29
54+(A) Social security number; (B) driver's license number or state 30
55+identification number; or (C) account number or credit or debit card 31
56+number, in combination with and linked to any required security code, 32
57+access code or password that would permit access to an individual's 33
58+financial account; and 34
59+(5) "Restricted information" means any information about an 35
60+individual, other than personal information, that, alone or in 36
61+combination with other information, including personal information, 37
62+can be used to distinguish or trace the individual's identity or that is 38
63+linked or linkable to an individual, if the information is not encrypted, 39
64+redacted or altered by any method or technology in such a manner that 40
65+the information is unreadable, and the breach of which is likely to result 41
66+in a material risk of identity theft or other fraud to a person or property. 42
67+(b) In any cause of action founded in tort that is brought under the 43
68+laws of this state or in the courts of this state and that alleges that the 44
69+failure to implement reasonable cybersecurity controls resulted in a data 45
70+breach concerning personal information or restricted information, it 46
71+shall be an affirmative defense that a covered entity created, maintained 47
72+and complied with a written cybersecurity program that contains 48
73+administrative, technical and physical safeguards for the protection of 49
74+personal or restricted information and that conforms to an industry 50 Substitute Bill No. 6607
6775
68-(5) "Restricted information" means any information about an
69-individual, other than personal information or publicly available
70-information, that, alone or in combination with other information,
71-including personal information, can be used to distinguish or trace the
72-individual's identity or that is reasonably linked or linkable to an
73-individual, if the information is not encrypted, redacted or altered by
74-any method or technology in such a manner that the information is
75-unreadable, and the breach of which is likely to result in a material risk
76-of identity theft or other fraud to a person or property.
77-(b) In any cause of action founded in tort that is brought under the
78-laws of this state or in the courts of this state and that alleges that the
79-failure to implement reasonable cybersecurity controls resulted in a data
80-breach concerning personal information or restricted information, the
81-Superior Court shall not assess punitive damages against a covered
82-entity if such entity created, maintained and complied with a written
83-cybersecurity program that contains administrative, technical and
84-physical safeguards for the protection of personal or restricted
85-information and that conforms to an industry recognized cybersecurity
86-framework, as described in subsection (c) of this section and that such
87-covered entity designed its cybersecurity program in accordance with
88-the provisions of subsection (d) of this section. The provisions of this
89-subsection shall not apply if such failure to implement reasonable
90-cybersecurity controls was the result of gross negligence or wilful or
91-wanton conduct.
92-(c) A covered entity's cybersecurity program, as described in
93-subsection (b) of this section, conforms to an industry recognized
94-cybersecurity framework if:
95-(1) (A) The cybersecurity program conforms to the current version of
96-or any combination of the current versions of:
97-(i) The "Framework for Improving Critical Infrastructure Substitute House Bill No. 6607
9876
99-Public Act No. 21-119 4 of 6
77+LCO {\\PRDFS1\HCOUSERS\BARRYJN\WS\2021HB-06607-
78+R02-HB.docx }
79+3 of 5
10080
101-Cybersecurity" published by the National Institute of Standards and
102-Technology;
103-(ii) The National Institute of Standards and Technology's special
104-publication 800-171;
105-(iii) The National Institute of Standards and Technology's special
106-publications 800-53 and 800-53a;
107-(iv) The Federal Risk and Management Program's "FedRAMP
108-Security Assessment Framework";
109-(v) The Center for Internet Security's "Center for Internet Security
110-Critical Security Controls for Effective Cyber Defense"; or
111-(vi) The "ISO/IEC 27000-series" information security standards
112-published by the International Organization for Standardization and the
113-International Electrotechnical Commission.
114-(B) When a revision to a document listed in subparagraph (A) of this
115-section is published, a covered entity whose cybersecurity program
116-conforms to a prior version of said document, such covered entity shall
117-conform to such revision not later than six months after the publication
118-date of such revision;
119-(2) (A) The covered entity is regulated by the state or the federal
120-government or is otherwise subject to the requirements of any of the
121-laws or regulations identified in subparagraphs (A)(i) to (A)(iv),
122-inclusive, of this subdivision, and such covered entity's cybersecurity
123-program conforms to the current version of:
124-(i) The security requirements of the Health Insurance Portability and
125-Accountability Act of 1996, P.L. 104-191, as amended from time to time,
126-as set forth in 45 CFR 164, Subpart C, as amended from time to time;
127-(ii) Title V of the Gramm-Leach-Bliley Act of 1999, P.L. 106-102, as Substitute House Bill No. 6607
81+recognized cybersecurity framework, as described in subsection (c) of 51
82+this section and that such covered entity designed its cybersecurity 52
83+program in accordance with the provisions of subsection (d) of this 53
84+section. 54
85+(c) A covered entity's cybersecurity program, as described in 55
86+subsection (b) of this section, conforms to an industry recognized 56
87+cybersecurity framework if: 57
88+(1) (A) The cybersecurity program conforms to the current version of 58
89+or any combination of the current versions of: 59
90+(i) The "Framework for Improving Critical Infrastructure 60
91+Cybersecurity" published by the National Institute of Standards and 61
92+Technology; 62
93+(ii) The National Institute of Standards and Technology's special 63
94+publication 800-171; 64
95+(iii) The National Institute of Standards and Technology's special 65
96+publications 800-53 and 800-53a; 66
97+(iv) The Federal Risk and Management Program's "FedRAMP 67
98+Security Assessment Framework"; 68
99+(v) The Center for Internet Security's "Center for Internet Security 69
100+Critical Security Controls for Effective Cyber Defense"; or 70
101+(vi) The "ISO/IEC 27000-series" information security standards 71
102+published by the International Organization for Standardization and the 72
103+International Electrotechnical Commission. 73
104+(B) When a revision to a document listed in subparagraph (A) of this 74
105+section is published, a covered entity whose cybersecurity program 75
106+conforms to a prior version of said document, such covered entity shall 76
107+conform to such revision not later than sixty days after the publication 77
108+date of such revision. 78 Substitute Bill No. 6607
128109
129-Public Act No. 21-119 5 of 6
130110
131-amended from time to time;
132-(iii) The Federal Information Security Modernization Act of 2014, P.L.
133-113-283, as amended from time to time; or
134-(iv) The security requirements of the Health Information Technology
135-for Economic and Clinical Health Act, as amended from time to time, as
136-set forth in 45 CFR 162, as amended from time to time.
137-(B) If any of the laws or regulations identified in subparagraphs (A)(i)
138-to (A)(iv), inclusive, of this subdivision are amended, a covered entity
139-whose cybersecurity program conforms to a prior version of said laws
140-or regulations, such covered entity shall conform to such amended law
141-or regulation not later than six months after the date of such
142-amendment; or
143-(3) (A) The cybersecurity program complies with the current version
144-of the "Payment Card Industry Data Security Standard" and the current
145-version of another applicable industry recognized cybersecurity
146-framework described in subparagraph (A) of subdivision (1) of this
147-subsection.
148-(B) When a revision to the "Payment Card Industry Data Security
149-Standard" is published, a covered entity whose cybersecurity program
150-conforms to a prior version of said document, such covered entity shall
151-conform to such revision not later than six months after the publication
152-date of such revision.
153-(d) (1) A covered entity's cybersecurity program, as described in
154-subsection (b) of this section, shall be designed to do the following with
155-respect to personal and restricted information: (A) Protect the security
156-and confidentiality of such information; (B) protect against any threats
157-or hazards to the security or integrity of such information; and (C)
158-protect against unauthorized access to and acquisition of the
159-information that would result in a material risk of identity theft or other Substitute House Bill No. 6607
111+LCO {\\PRDFS1\HCOUSERS\BARRYJN\WS\2021HB-06607-
112+R02-HB.docx }
113+4 of 5
160114
161-Public Act No. 21-119 6 of 6
115+(2) (A) The covered entity is regulated by the state or the federal 79
116+government or is otherwise subject to the requirements of any of the 80
117+laws or regulations identified in subparagraph (A)(i) to (A)(iv), 81
118+inclusive, of this subdivision, and such covered entity's cybersecurity 82
119+program conforms to the current version of: 83
120+(i) The security requirements of the Health Insurance Portability and 84
121+Accountability Act of 1996, P.L. 104-191, as amended from time to time, 85
122+as set forth in 45 CFR 164, Subpart C, as amended from time to time; 86
123+(ii) Title V of the Gramm-Leach-Bliley Act of 1999, P.L. 106-102, as 87
124+amended from time to time; 88
125+(iii) The Federal Information Security Modernization Act of 2014, P.L. 89
126+113-283, as amended from time to time; 90
127+(iv) The security requirements of the Health Information Technology 91
128+for Economic and Clinical Health Act, as amended from time to time, as 92
129+set forth in 45 CFR 162, as amended from time to time. 93
130+(B) If any of the laws or regulations identified in subparagraph (A)(i) 94
131+to (A)(iv), inclusive, of this subdivision are amended, a covered entity 95
132+whose cybersecurity program conforms to a prior version of said laws 96
133+or regulations, such covered entity shall conform to such amended law 97
134+or regulation not later than sixty days after the date of such amendment. 98
135+(3) (A) The cybersecurity program complies with the current version 99
136+of the "Payment Card Industry Data Security Standard" and the current 100
137+version of another applicable industry recognized cybersecurity 101
138+framework described in subparagraph (A) of subdivision (1) of this 102
139+subsection. 103
140+(B) When a revision to the "Payment Card Industry Data Security 104
141+Standard" is published, a covered entity whose cybersecurity program 105
142+conforms to a prior version of said document, such covered entity shall 106
143+conform to such revision not later than one year after the publication 107
144+date of such revision. 108 Substitute Bill No. 6607
162145
163-fraud to the individual to whom the information relates.
164-(2) The scale and scope of a covered entity's cybersecurity program
165-shall be based on the following factors: (A) The size and complexity of
166-the covered entity; (B) the nature and scope of the activities of the
167-covered entity; (C) the sensitivity of the information to be protected; and
168-(D) the cost and availability of tools to improve information security and
169-reduce vulnerabilities.
170-(e) Nothing in this section shall be construed to affect or limit the
171-process by which certification is granted in class actions founded in tort.
172-(f) Nothing in this section shall be construed to limit the authority of
173-the Attorney General or the Commissioner of Consumer Protection to
174-seek administrative, legal or equitable relief as otherwise allowed by the
175-general statutes or common law.
176-(g) Nothing in this section shall be construed to affect or limit any
177-requirement of section 4e-70 or 36a-701b of the general statutes.
146+
147+LCO {\\PRDFS1\HCOUSERS\BARRYJN\WS\2021HB-06607-
148+R02-HB.docx }
149+5 of 5
150+
151+(d) (1) A covered entity's cybersecurity program shall be designed to 109
152+do the following with respect to personal and restricted information: (A) 110
153+Protect the security and confidentiality of such information; (B) protect 111
154+against any anticipated threats or hazards to the security or integrity of 112
155+such information; and (C) protect against unauthorized access to and 113
156+acquisition of the information that is likely to result in a material risk of 114
157+identity theft or other fraud to the individual to whom the information 115
158+relates. 116
159+(2) The scale and scope of a covered entity's cybersecurity program 117
160+shall be based on the following factors: (A) The size and complexity of 118
161+the covered entity; (B) the nature and scope of the activities of the 119
162+covered entity; (C) the sensitivity of the information to be protected; (D) 120
163+the cost and availability of tools to improve information security and 121
164+reduce vulnerabilities; and (E) the resources available to the covered 122
165+entity. 123
166+This act shall take effect as follows and shall amend the following
167+sections:
168+
169+Section 1 October 1, 2021 New section
170+
171+Statement of Legislative Commissioners:
172+Throughout the bill, the word "reasonably" was deleted for consistency
173+with other provisions of the Section.
174+
175+CE Joint Favorable C/R JUD
176+JUD Joint Favorable Subst.
178177