Connecticut provides breach safe harbor

Connecticut is following Utah and Ohio in approving legislation that provides a safe harbor for companies with cybersecurity programs.

The Connecticut Cybersecurity Standards Act, which was signed into law by Gov. Ned Lamont last week and becomes effective Oct. 1, provides that companies will not face punitive damages in the event of a data breach if they have  cybersecurity that conforms to an “industry-recognized cybersecurity program.”

Cybersecurity programs cited in the legislation include those of the Gaithersburg, Maryland-based National Institute of Standards and Technology and the East Greenbush, New York-based Center for Internet Security.

Entities that are regulated by the state or federal government can also meet the legislation’s standard by complying with the cybersecurity requirements of the Health Insurance Portability and Accountability Act of 1996, among other programs.

Utah’s comparable legislation, the Cybersecurity Affirmative Act, was signed into law in March and became effective in May, while the Ohio Data Protection Act took effect in November 2018.