Inside Cybersecurity

July 27, 2021

Daily News

New Connecticut law creates liability protections for businesses implementing recognized cyber frameworks

By Charlie Mitchell / July 14, 2021

Connecticut Gov. Ned Lamont (D) has signed into law a measure that creates new incentives for businesses to employ “reasonable cybersecurity controls,” including protection from punitive damages.

“The bill, introduced by Representative Caroline Simmons, prohibits the Superior Court from assessing punitive damages against an organization that implements reasonable cybersecurity controls, including industry recognized cybersecurity frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the CIS Controls,” according to a release by the Center for Internet Security, which maintains the CIS controls.

"It is critically important to do a better job of protecting businesses and consumers against cyber-attacks,” Simmons said in a statement. “In Connecticut, we took a step to accomplish this voluntarily without regulation by incentivizing organizations to adopt cyber best practices, like the NIST framework and the CIS Critical Security Controls."

The law takes effect on Oct. 1 and makes Connecticut the third state after Ohio and Utah to provide such incentives for implementing cyber best practices.

The bill “would establish a legal safe harbor for organizations in Connecticut that voluntarily adopt certain recognized cybersecurity best practices like the CIS Controls and implement a written information security program,” CIS’ Curtis Dukes testified in March before the General Assembly’s Commerce Committee.

“The CIS Controls are a set of internationally-recognized, prioritized actions that form the foundation of basic cyber hygiene and essential cyber defense. Applying the CIS Controls provides a critical, measurable security value against a wide range of potential attacks,” according to a statement by CIS, which noted that under the Connecticut law “organizations have to conform with revisions and amendments to identified industry-recognized cybersecurity frameworks (like the CIS Controls), laws, and regulations within six months after the revised document is published.” – Charlie Mitchell (cmitchell@iwpnews.com)