A Robust Cybersecurity Program Can Now Be Your Best Defense In A Lawsuit – Technology – United States – Mondaq News Alerts



To print this article, all you need is to be registered or login on Mondaq.com.

As data breaches become a fact of life for both businesses and
consumers, barely a news cycle goes by without a story of another
successful hack, ransomware, theft of personal data or other data
breach. These data breaches are occurring in an environment in
which cyber criminals continue to evolve their methods and increase
the sophistication of their attacks, resulting in more and more
business leaders coming to the unsettling realization that their
organization will never be 100% secure or “breach
proof” – no matter how much time and money they spend on
cybersecurity and employee training.

Data breaches harm consumers and cost businesses valuable time
and money, in terms of response costs, damage to information
systems, and reputational costs. While still a generally nascent
threat, another cost is the risk of lawsuits from employees,
consumers, customers or other parties affected by the data breach.
These lawsuits may arise in the context of a breach of contract
claim (e.g., failure to encrypt data as required by a services
agreement) or through a “tort,” such as a negligence
claim (e.g., but for the business’s failure to reasonably
protect the consumer’s personal data, this breach would not
have occurred and the consumer would not have incurred certain
damages).

About P.A. 21-119

Recognizing that no business is ever truly “breach
proof,” on July 6, 2021, the Connecticut legislature signed
Public Act 21-119 “An Act Incentivizing the Adoption of
Cybersecurity Standards for Businesses” into law (“P.A.
21-119”). P.A. 21-119 creates a safe harbor against punitive
damages for “covered entities” that have suffered a
“data breach” involving “personal
information” or “restricted information,” if such
covered entity has “created, maintained and complied with a
written cybersecurity program that contains administrative,
technical and physical safeguards for the protection of personal or
restricted information and that conforms to an industry recognized
cybersecurity framework.” A business does not qualify for
this safe harbor if its failure to implement such cybersecurity
controls arises from gross negligence or willful or wanton
conduct.

See also  Top Integrators Take Away 5 Crucial Managed Services Tips at Total Tech Summit - Security Sales & Integration

What this means is a business will not be punished if it is sued
for negligent data protection practices related to a data breach,
so long as the business can demonstrate that it has a written
cybersecurity program that (A) conforms to an industry recognized
cybersecurity framework and (B) contains administrative, technical
and physical safeguards for the protection of personal or
restricted information. However, because P.A. 21-119 is limited to
punitive damages (i.e., damages that are awarded to punish the
defendant), a business may still be required to compensate
plaintiffs who were harmed as a result of the data breach (e.g.,
arising from identity theft).

What Types of Businesses Are Covered by P.A. 21-119?

P.A. 21-119 defines “covered entity” very broadly
and affords this protection to most businesses in the state.
Specifically, “covered entity” is defined as “a
business that accesses, maintains, communicates or processes
personal information or restricted information in or through one or
more systems, networks or services located in or outside this
state.” Moreover, P.A. 21-119 defines “business”
as follows: “any individual or sole proprietorship,
partnership, firm, corporation, trust, limited liability company,
limited liability partnership, joint stock company, joint venture,
association or other legal entity through which business for profit
or not-for-profit is conducted.”

As explained above, in order to qualify for the safe harbor in
P.A. 21-119, a covered entity must demonstrate that it has a
written cybersecurity program that (A) conforms to an industry
recognized cybersecurity framework and (B) contains administrative,
technical and physical safeguards for the protection of personal or
restricted information.

See also  Microsoft Issues Bold Strike To Google Chrome With New Features You Need Now - Forbes

A. What Industry Recognized Cybersecurity Frameworks
Qualify?

Under P.A. 21-119, a covered entity’s cybersecurity
program qualifies for the aforementioned safe harbor if it conforms
to the current version, or any combination of the current versions
of, the following industry recognized cybersecurity frameworks:

  1. “The ‘Framework for Improving Critical
    Infrastructure Cybersecurity’ published by the National
    Institute of Standards and Technology”;

  2. “The National Institute of Standards and Technology’s
    special publication 800-171”;

  3. “The National Institute of Standards and Technology’s
    special publications 800-53 and 800-53a”;

  4. “The Federal Risk and Management Program’s
    ‘FedRAMP Security Assessment Framework’;

  5. “The Center for Internet Security’s ‘Center for
    Internet Security Critical Security Controls for Effective Cyber
    Defense’”; or

  6. “The ‘ISO/IEC 27000-series’ information
    security standards published by the International Organization for
    Standardization and the International Electrotechnical
    Commission.”

If a covered entity’s cybersecurity program complies with
the current version of the “Payment Card Industry Data
Security Standard” (“PCI-DSS”) and the current
version of one of the cybersecurity standards set forth above, then
it is also subject to the safe harbor in P.A. 21-119.

In addition, a business is also eligible for the aforementioned
safe harbor in the event that its cybersecurity program conforms to
the current version of one of the following:

  1. The security requirements of the Health Insurance Portability
    and Accountability Act of 1996, P.L. 104-191
    (“HIPAA”);

  2. Title V of the Gramm-Leach-Bliley Act of 1999, P.L.
    106-102;

  3. The Federal Information Security Modernization Act of 2014,
    P.L. 113-283; or

  4. The security requirements of the Health Information Technology
    for Economic and Clinical Health Act (“HITECH”).

B. Required Safeguards for Cybersecurity Program

Finally, P.A. 21-119 requires that a covered entity’s
cybersecurity program contain administrative, technical and
physical safeguards for the protection of personal or restricted
information. Specifically, a covered entity’s cybersecurity
program must: (i) “[p]rotect the security and confidentiality
of such information”; (ii) “protect against any threats
or hazards to the security or integrity of such information”;
and (iii) “protect against unauthorized access to and
acquisition of the information that would result in a material risk
of identity theft or other fraud to the individual to whom the
information relates.” The following factors will determine
the scale and scope of a covered entity’s cybersecurity
program: “[i] [t]he size and complexity of the covered
entity; [ii] the nature and scope of the activities of the covered
entity; [iii] the sensitivity of the information to be protected;
and [iv] the cost and availability of tools to improve information
security and reduce vulnerabilities.”

P.A. 21-119 takes effect on October 1, 2021.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

The SEC’s Continued Focus On Cybersecurity Enforcement

Kramer Levin Naftalis & Frankel LLP

On June 14, the Securities and Exchange Commission (SEC) announced a $490,000 settlement with the real estate services provider First American Financial Corporation (First American) …



READ SOURCE

See also  ‘Embarrassed’ Twitter says last week’s hack targeted 130 accounts - MarketWatch

LEAVE A REPLY

Please enter your comment!
Please enter your name here