Privacy, Technology and Perspective
Connecticut’s New “Privacy Breach” and “Cybersecurity Standards” Acts Following Ohio And Utah. Recently, Connecticut data breach reporting and cybersecurity laws have changed with one law widening breach reporting obligations, and the law, following Ohio and Utah by incentivizing business to adopt industry-recognized cybersecurity standards.
“An Act Concerning Privacy Breaches”: Public Act 21-59 (“An Act Concerning Privacy Breaches”) expands breach-reporting requirements in two significant regards: (1) by amending the state’s previous breach reporting requirements to broadening the scope of “personal information” covered by the law; (2) by shortening the notice required under state law from 90 days to “without unreasonable delay, but not later than 60 days,” from the day of breach discovery.
(1) Broadened definition of “personal information”: While many states’ breach-notification statutes still define “personal information” as (roughly) a person’s name, in combination with one or more specific pieces of data such as a Social Security number, drivers license number, or an account number together with its security code. Connecticut’s breach notification statute has been updated to expand the list of specific pieces of data to include:
· IRS-issued PIN numbers;
· government-issued ID numbers that are commonly used to verify identities (passport numbers, military ID numbers, etc.);
· medical information;
· health insurance numbers;
· biometric information; or
· usernames and email addresses in combination with security questions and answers that would open access.
(2) Shortened breach notification deadline: Connecticut’s new breach notification statute also shortens the timeline for regulated entities to report a “breach of security” from 90 days to “without unreasonable delay, but not later than 60 days”
The Act also updates certain notification requirements if a breach occurs, such as not using a compromised account to notify an affected person. In addition, the Act also clarifies that regulated entities are those who “conduct business in th[e] state, and who, in the ordinary course of such person’s business… owns, licenses or maintains computerized data that includes personal information.
“An Act Incentivizing the Adoption of Cybersecurity Standards by Businesses”: Connecticut has adopted legislation to incentivize businesses to implement reasonable cybersecurity controls with Public Act 21-119 (“An Act Incentivizing the Adoption of Cybersecurity Standards by Businesses”). This legislation brings Connecticut law closer to both Ohio (Data Protection Act) and Utah (Cybersecurity Affirmative Defense Act) in using a cybersecurity safe-harbor (at least against punitive damages) to try to incentivize, rather than mandate, compliance with an “industry recognized” cybersecurity frameworks. By invoking this affirmative defense, covered entities may refute a claim brought by a plaintiff if they can prove in court that their cybersecurity program conforms to industry recognized cybersecurity framework, and thereby negate liability for data breaches in certain lawsuits.
“Recognized frameworks”: Connecticut’s law specifically recognizes its cybersecurity safe-harbor (at least against punitive damages) in event of breach for a defendant businesses that can show compliance with such “industry recognized” cybersecurity frameworks. Such frameworks are spelled out in the Act. They include the National Institute of Standards and Technology Cybersecurity Framework (NIST) and the Center for Internet Security (CIS) Critical Security Controls. the ISO 27001 family, or FedRAMP, or (where applicable) compliance with the cybersecurity requirements of HIPAA, Gramm-Leach-Bliley, HITECH, PCI, or the Federal Information Security Modernization Act of 2014.
For reference, links to Connecticut’s, Ohio’s and Utah’s cybersecurity safe-harbor laws follow:
Connecticut’s Public Act 21-119 (“An Act Incentivizing the Adoption of Cybersecurity Standards by Businesses”):
Ohio’s Data Protection Act:
Utah’s Cybersecurity Affirmative Defense Act:
On open questions: The statutory list of acceptable frameworks seems very short. Many more excellent cybersecurity frameworks besides these ones are in common use today. Many of these have been designed by and for businesses in particular industries, or have been designed for broader application, but are quite comprehensive and are strongly preferred by high percentages of businesses that handle sensitive information. We wonder if the safe-harbor statutes will push the proponents of these other frameworks to argue for their specific inclusion in the statutory language. But this may not be necessary, as some of the other frameworks are splendid vehicles to show compliance with HIPAA, GLBA, and so on, while others cover much the same material as NIST, CIS and the others and may go beyond them in depth and detail.
On business decisions: To comply with the substantive standards of a recognized framework is desirable and doable. But to become officially certified as compliant with a recognized framework may be an entirely different thing, and much more expensive. Will it be worth the extra cost? It may not be, but the business decision may be whether the extra cost of certification will have been worth it when a breach has actually happened, and the plaintiff seeking class certification argues that the defendant business was grossly negligent in executing the controls in the framework.
Encryption is still a strong technical safeguard. Many state statutes specify a safe harbor for encryption where the trigger for breach notification is the unauthorized access or acquisition of personal “unencrypted computerized data.” So identifying and encrypting personal information, we believe, is still a strong safeguard, not only to maintaining the integrity of that data, but to defending a business in the event of data breach claim.
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.