It seems like every day, we hear stories about cyber attacks, ransomware demands, and data breaches. The Ponemon Institute reported that the average cost of a U.S. data breach in 2020 was $8.64 million.
A 2018 survey conducted by the Connecticut Business & Industry Association (CBIA) reported that nearly one-quarter of the state’s businesses experienced a data breach or cyberattack in the prior two years. Of those businesses, 90% had fewer than 100 employees.
Connecticut’s new cybersecurity law, Connecticut Public Act 21-119, takes effect Oct. 1, 2021. What protections does the law provide to companies that fall victim to cyber crimes? What do you need to do to be covered?
As Kelser’s manager of information security and compliance, I’ve been following this law and have helped businesses develop robust cybersecurity frameworks that will minimize exposure to punitive damages under the new law. I will explain what the law and how you protect your business.
What Is Connecticut’s New Cybersecurity Law?
The new law protects certain companies from punitive damages in the event of a security breach that compromises personal or restricted information. A similar Ohio law was enacted in 2018.
Punitive damages in cases like these can vary depending on factors like the size of the company, the size of a given breach and the number of individuals affected. They vary widely and are subject to interpretation by a jury and a judge. The bottom line is that they aren’t a risk any business wants to take.
Who Is Covered?
The law protects companies that have “reasonable” cybersecurity measures in place prior to the breach. It requires that the company “created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards.”
What Is Required?
Under the law, the company’s written cybersecurity program must conform to one of several “industry-recognized” cybersecurity frameworks.
Some of those frameworks include NIST 800-171 (for industrial companies), PCI-DSS (for organizations that process credit card information), and HITRUST (for healthcare organizations), to name a few.
The limit on punitive damages does not apply if the company is found to be grossly negligent as a result of willful or wanton conduct.
The law is another incentive for Connecticut companies to increase cybersecurity protocols and comply with nationally recognized standards of cybersecurity excellence.
How Are Companies Protected?
When a company has appropriate cybersecurity measures in place and an unauthorized person accesses, maintains, communicates, or processes personal or restricted information, the new law protects the company from potentially crippling punitive damages.
What Do I Need To Do?
If your company doesn’t have NIST 800-171 or a similar “industry-recognized” cybersecurity framework in place, act now!
While many companies view cybersecurity as an added cost of doing business that doesn’t really contribute to the bottom line, the cost of a data breach can be potentially crippling.
This law and its protections recognize that cybersecurity best practices provide short- and long-term benefits to businesses and offer one more incentive to comply with nationally recognized cybersecurity standards. Your business will be better protected as a result.
What Could Happen If I Don’t Have A Cybersecurity Framework In Place?
If you don’t have a proper cybersecurity framework and processes in place, your business could be open to legal and cybersecurity issues. Both can be expensive not only financially, but also in terms of your company’s reputation.
What If I Do Business In Other States?
Most states have current or pending cybersecurity legislation. The wording and coverage vary, but most have compliance requirements attached. To be protected, your business must meet certain cybersecurity standards.
Are There Similar Federal Laws?
While the European Union has an agency dedicated to achieving a high common level of cybersecurity across Europe, the U.S. does not currently have comprehensive, national cybersecurity laws or one agency shaping national policy and law.
But, a more comprehensive federal approach may be coming. Earlier this year, the White House issued an Executive Order making the “prevention, detection, assessment, and remediation of cyber incidents” a top priority. It establishes that cybersecurity is essential to national and economic security.
For now, U.S. companies must navigate a complex web of laws and regulations that vary by state and by federal agency. Some of these aren’t directly related to cybersecurity, making the job more difficult.
Does Your Company Have Cybersecurity Under Control?
The best advice I can give to people worried about cybersecurity is to stay on top of industry compliance standards. As many coaches have said for years, “the best defense is a strong offense.”
Get ahead of cyber threats. Whether you have an internal IT group or work with a managed service provider, make sure they have the tools to get the job done.
If you aren’t sure, many MSPs provide gap assessments or other tools to help you determine your cyber readiness.
Being the victim of a cyber attack is not cheap. Having the proper protocols in place is becoming increasingly worth the investment. New laws and requirements provide yet another incentive to guard against cyber threats.
At Kelser, we’ve helped people just like you figure out how best to protect their business from cyber crime. Download our free cybersecurity eBook that will provide 10 simple ideas your business can do to improve its security posture now.
