Connecticut Public Act No. 21-119: Cyber Security Standards for Businesses

Hello everyone and thanks for stopping by.

We wanted to take a quick minute to highlight what Connecticut Governor Ned Lamont recently signed into the law other day.  Before we dive in, an obligatory disclaimer.  We are not lawyers.  This post is not considered legal advice or a legal opinion.  We urge you to consult with an attorney who is knowledgeable with cyber security and privacy laws to understand how  Public Act No. 21-119 affects your organization.  We can recommend you one if you want to have this conversation.  Reach out to us in the form below.

Moving on, what we’re going to do is condense some things for you and we’ll provide relevant links that are helpful.  We’ll also highlight where our services fit in so that you can work towards compliance.

Who is affected by this law:

• Sole proprietors
• Partnerships
• Firms
• Corporations
• Trusts
• LLCs
• LLPs
• Joint stock and joint venture entities
• For-profit and non-profit firms

This law is meant to incentivize organizations to adopt cyber security standards.  More on that in a minute.

If you fall into these organization types, you need to next figure out if you’re a “Covered entity.”  The act defines this as an organization that accesses, maintains, or communicates personal information through a system, or multiple systems, located in, or outside, the State of Connecticut.

The incentive:

If you are found to be a covered entity, you must adopt a cyber security platform from a reputable organization such as NIST (National Institute of Standards and Technology, FedRAMP (Federal Risk and Management Program), Center for Internet Security, or International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC).  If you adhere to these frameworks, according to the law, if your organization suffers a data breach the text reads:

In any cause of action founded in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information, the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework, as described in subsection (c) of this section and that such covered entity designed its cybersecurity program in accordance with the provisions of subsection (d) of this section. The provisions of this subsection shall not apply if such failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct.

It should also be noted that in order to reap the benefits of these protections, if any of these entities update their frameworks your organization must be compliant within six months of their changes.

Here is a list of links to the frameworks mentioned in the Act to help you evaluate which one best suits your organization:

• NIST: NIST 800-171,  800-53, and 800-53a
• FedRAMP:  FedRAMP Security Assessment Framework
• Center for Internet Security: Center for Internet Security Critical Security Controls for Effective Cyber Defense
• ISO/IEC: “ISO/IEC 27000-series“

If you are in an industry that is regulated by the State or Federal government, or are subject to following other laws or regulations (i.e. HIPAA, FISMA, GLB, PCI-DSS), those frameworks should be adhered to.

NOTE: If you happen to stumble upon this blog post at a much later date than when this was published, consider the versions of the frameworks we linked to as out of date.  Please seek out the updated versions.  We’ll do our best to update the links to the frameworks.

Full text of Public Act No. 21-119:

Here is the link for Public Act No. 21-119.  Please read through it carefully as we didn’t include everything, and again, address any legal questions with a knowledgeable attorney.

How Bsquared Intel fits into your strategy:

We provide external risk and threat assessments which will fall into parts of these frameworks.  Here are some of the things we look for:

• Security holes in your websites that would allow bad actors to exploit them in order to deface, steal data, or propagate malware.
• Phishing sites or impostor social media profiles.
• Data breaches your organization may be tied up in.
• Data leaks/dumps, such as sensitive internal documents published in a public forum or password dumps.

We also provide consulting services to help you work your way through your adopted cyber security framework.

Check out our business services here and then contact us below to have a conversation.