In July, Gov. Ned Lamont signed Public Act 21-119—which went into effect in Oct. 1, 2021, and protects Connecticut businesses in all industries from punitive damages if there is a cyber-breach that leads to the unauthorized access of personal or restricted information. But, this protection applies only to, businesses that have maintained and complied with a written cyber security program that conforms to an industry-recognized framework.
What is personal or restricted information?
Personal information has a specific meaning in this law. It refers to a person’s first name—or the first initial—and his or her last name, accompanied by at least one other piece of personal information that could compromise his or her protection from identity theft. The information that accompanies the person’s name must be any one—or more—of the following:
- Social Security number
- Taxpayer identification number
- Identity protection personal identification number issued by the Internal Revenue Service
- Driver’s license number, state identification card number, passport number, military identification number or other identification number issued by the government that is used commonly to verify identity
- Credit or debit card number
- Financial account number in combination with any required security code, access code or password that would permit access to such financial account
- Medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual
- Biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image
Additionally, personal information means a username or an email address, in combination with a password, or a security question and answer that would permit access to an online account.
However, personal information does notinclude information that is lawfully made available to the public from federal, state, or local government records or widely distributed media.
Separate from personal information, restricted information is any information about an individual—other than personal or publicly available information—that, alone or in combination with other information, can be used to distinguish or trace the individual’s identity.
And, restricted information includes information that, alone or in combination with other information, is easily linked to an individual, if the information is not encrypted, redacted, or altered in such a way that would make the information unreadable. Information is considered restricted if the breach of which is likely to result in a credible risk of identity theft or other fraud to a person or property.
Who does this law apply to?
This law applies to all businesses in Connecticut. A covered entity for purposes of this law is a business that accesses, maintains, communicates or processes personal information or restricted information in or through one or more systems, networks or services that are located in or outside of Connecticut.
Businesses must comply with an industry-recognized cyber security framework
The law states that a cyber security program must conform to an industry-recognized cybersecurity framework and includes examples such as:
- the National Institute of Standards and Technology’s Special Publication 800-171;
- the Federal Risk and Management Program’s Security Assessment Framework; and
- The Center for Internet Security Critical Security Controls for Effective Cyber Defense.
Additionally, it stipulates a business is in compliance with this law—and thus shall not be assessed punitive damages by a court—if it has complied with the required, specific security standards per state or federal regulation, such as the Health Insurance Portability and Accountability Act of 1996 and Gramm-Leach-Bliley. For more on Gramm-Leach-Bliley, access Privacy and the professional insurance producer in the PIA QuickSource library.
When a revision to an industry-recognized cyber security framework document is published—such as those listed above and others in the law—a covered entity whose cyber security program conforms to a prior version shall conform to such revision not later than six months after the revision is published.
What must be in the cyber security program?
A covered entity’s cyber security program shall be designed to protect the security and confidentiality of people’s personal information against any threats or hazards to the security or integrity of such information, and against unauthorized access to and acquisition of the information that could put the person to whom the information relates at risk for identity theft or other fraud.
The scale and scope of a covered entity’s cyber security program shall be based on the following factors:
- the size and complexity of the covered entity;
- the nature and scope of the activities of the covered entity;
- the sensitivity of the information to be protected;
- the cost and availability of tools to improve information security and reduce vulnerabilities; and
- the resources available to the covered entity.