Inside Cybersecurity

April 12, 2024

Daily News

Connecticut looks to NIST framework, CIS controls in bill offering liability protection

By Charlie Mitchell / March 22, 2021

Legislation in the Connecticut General Assembly would offer companies a legal safe harbor when they incorporate cyber best practices and use tools including the NIST cybersecurity framework and the CIS Controls, as state lawmakers look for ways to drive up security across their digital ecosystems.

The bill “would establish a legal safe harbor for organizations in Connecticut that voluntarily adopt certain recognized cybersecurity best practices like the CIS Controls and implement a written information security program,” Curtis Dukes, executive vice president and general manager for security best practices at the Center for Internet Security, testified last week before the Assembly’s Commerce Committee.

“It creates an incentive to do the right thing – to improve cybersecurity according to a recognized industry standard – and receive an additional benefit in the bargain,” Dukes said.

The legislation was crafted by Democratic state Rep. Caroline Simmons, who chairs the Commerce Committee.

HB 6607 says:

In any cause of action founded in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information, it shall be an affirmative defense that a covered entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that reasonably conforms to an industry recognized cybersecurity framework, as described in subsection (c) of this section and that such covered entity designed its cybersecurity program in accordance with the provisions of subsection (d) of this section.

The bill would take effect on Oct. 1 if signed into law.

CIS in a release noted, “The CIS Controls are a set of internationally-recognized, prioritized actions that form the foundation of basic cyber hygiene and essential cyber defense. They act as a blueprint for system and network operators to improve cyber defense by identifying specific actions to be done in a priority order, based on the current state of the global cyber threat.”

Simmons last fall announced her intention to offer the bill in the 2021 legislative session. She served at the U.S. Department of Homeland Security for over four years and has been in the Assembly since 2014. Simmons is also currently running for mayor of Stamford.

"Connecticut has the opportunity to be a national leader on cybersecurity," she said in late October. "Now is the time to advance legislation incentivizing the voluntary adoption of Cybersecurity protocols in order to protect our public and private sector industries from this threat."

Simmons’ office said in a release at the time, “The cyber threat is real. Cyber threats pose serious risks to CT’s infrastructure, utilities, businesses, hospitals, schools, and consumers. There were over 400 reports of security breaches in CT in 2013, compromising the personal information of over 500,000 CT residents. These include attacks ranging from the Target, Home Depot, and Anthem breaches, to attacks on our state and local government agencies, schools, and small businesses, pointing to the increasing need for better cyber defenses. Yet, no national legal minimum standard of cybersecurity exists that our public and private sector organizations must follow.”

Further, Simmons’ office said, “Until then, we can increase our cybersecurity by incentivizing the voluntary adoption of cybersecurity best practices. One way to do that is to create a safe harbor for all organizations in Connecticut for adopting a written cyber plan based on a recognized best practice, like the NIST Cybersecurity Framework or the CIS Critical Security Controls.” – Charlie Mitchell (