Connecticut has recently updated its laws on cybersecurity. On June 6th 2021, the state enacted a new law called ‘Cybersecurity Safe Harbor (HB6607)’. This post briefly explains the law and what your business needs to do to comply.
What is Cybersecurity Safe Harbor?
Cybersecurity Safe Harbor aims to protect Connecticut businesses who take adequate measures to follow national cybersecurity standards. It is similar to a law recently passed in Ohio.
The law prevents The Connecticut Superior Court from assessing punitive damages ‘against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework’.
What does this mean? In basic terms, the court can no longer assess punitive damages if a business has been following certain national cybersecurity standards.
Punitive damages are fees that a defendant is supposed to pay on top of compensatory damages in the event of gross misconduct. They are typically handed out to punish the defendant much like a fine. Companies that meet specific cybersecurity requirements will no longer have to worry about such charges.
This can greatly relieve the financial burden of companies that find themselves the victim of a cyberattack.
Which Cybersecurity Requirements Must My Business Meet?
Cybersecurity Safe Harbor is granted only to companies that successfully meet certain cybersecurity requirements. These include:
- Three separate National Institute Of Standards and Technology (NIST) standards
- The Federal Risk and Authorization Management Program (FedRamp)
- ISO2700 series
- Center For Internet Security Critical Security Controls For Effective Cyber Defence
- Health Insurance Portability And Accountability (HIPAA)
- Gramm-Leach-Bliley
Companies that are subject to Payment Card Industry Data Security Standard (PCI-DSS) standards must also comply with the current version of PCI-DSS, plus the first four standards listed above.
Who Can I Hire to Help My Company Meet These Requirements?
When you outsource managed IT services you get to work with a team of qualified IT professionals. Start looking into such services today if you don’t already use a managed IT service.
There are clearly many requirements that need to be met in order to qualify for Cybersecurity Safe Harbor. If you are a business owner that doesn’t have a background in IT, you may find it difficult to get your head around some of these requirements.
This is why it is worth seeking out the help of IT professionals. Such professionals will have a thorough understanding of these standards and will be able to advise you on what you need to do to make your business compliant.
IT professionals will help you be prepared, so that if an incident occurs you are protected from punitive damages. Incidents like cyberattacks can already be very expensive to recover from, and so it could be a relief to not have to also worry about these court charges.
Of course, meeting these necessary cybersecurity standards is likely to greatly reduce the risk of being involved in a cyberattack. This is another great reason to comply with these standards – you could save yourself huge amounts of money in the long run.