Like many state data security laws, the Cybersecurity Standards Act requires a cybersecurity program with “reasonable” controls. But, rather than define what is reasonable by reference to certain enumerated requirements (like the laws in neighboring states Massachusetts and New York), the Cybersecurity Standards Act includes more general requirements and what is reasonable cybersecurity is established by way of a safe harbor. Specifically, the Cybersecurity Standards Act makes available an affirmative defense to a tort claim that a business’ failure to “implement reasonable cybersecurity controls” results in a data breach. The affirmative defense is available when the action is brought under Connecticut law or in Connecticut state courts and when the defendant business can demonstrate that it conformed to one of the enumerated “industry recognized” cybersecurity frameworks.
The named frameworks are:
The affirmative defense also is available if the defendant business is subject to and conforms its cybersecurity program to any of the following federal laws:
- Security requirements of Health Insurance Portability and Accountability Act or Health Information Technology for Economic and Clinical Health Act.
- Title V of the Gramm-Leach-Bliley Act.
- Federal Information Security Modernization Act.
The business loses the affirmative defense if one of these laws is amended and the business does not comply with the amended version within six months after the amendment date. The same six-month rule also applies to compliance with PCI-DSS.
The Cybersecurity Standards Act is similar to Ohio’s data security law, which offers a “safe harbor” to a tort claim that a business’ failure to “implement reasonable information security controls” results in a data breach if the business complies with one of the listed industry standards and laws. The Ohio law gives a business one year to comply with an amendment.
Under the Cybersecurity Standards Act, the cybersecurity program must protect both “personal information” and “restricted information”. The former - “personal information” - includes the same combination of personal information as in Connecticut’s data breach notification law (Connecticut General Statutes § 36a-701b) but adds in some new categories of identifiers, such as identity protection personal identification number issued by the Internal Revenue Service and biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina or iris image. The latter - “restricted information” – means information (other than personal information or publicly-available information) that, “alone or in combination with other information, including personal information, can be used to distinguish or trace the individual's identity or that is reasonably linked or linkable to an individual, if the information is not encrypted, redacted or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to a person or property".
Complying with an industry data security framework is clearly beneficial under the Cybersecurity Standards Act (as well as the Ohio law) but, depending on the volume and sensitivity of a business’ information processing and available resources, the time and money needed to comply with an industry standard may outweigh the benefit.