Connecticut’s New Breach Notification and Data Security Laws: Carrots and Sticks
Dr. Frederick Scholl, cybersecurity program director, Quinnipiac University
Two new laws were passed this session by Connecticut legislators; they together make the state a leader in cybersecurity protections for citizens. Bill # 5310, the new Data Breach Notification law, expands the definition of “Personal Information” triggering the required notice. House Bill # 6607 offers reduced liability for businesses that implement standards-based security protection frameworks and still suffer a data breach. These new laws take effect on October 1, 2021. Working together, this legislation should protect citizens’ data privacy while providing a way for business to avoid crippling lawsuits and damages.
The punitive type of breach notification legislation started in 2002 in the state of California. Now all 50 states have such laws. Typically, they require that, if an entity has a breach of unencrypted personal information of that state’s residents, it must provide notice to those residents and offer free credit monitoring services. In Connecticut and many other states, the Attorney General enforces this law. For example, in the 2015 Experian data breach, effected CT residents were awarded a total of $4.785M. The data breach notification laws were a response to the massive increase in data breaches over the past 15 years. Privacy Rights Clearinghouse1 reports that since 2005 8,804 data breaches have been reported, resulting in 11,575,804,706 records being compromised.
The new Connecticut breach notification bill expands the definition of personal information to include:
- Taxpayer ID
- IRS Identifier
- Passport ID or any government issued identifier
- Medical information
- Biometric information
- Username and password permitting access to online accounts
It also shortens the time that breached entities have to report, from 90 days to 60 days. This area is a little murky to me, since breached entities often do not know when they were breached, and it may take additional time to determine the scope of the breach. I just received a breach notification from one of my banks, in which the bank stated it was providing me notice that my information had been compromised in 2016, five years ago! I still would get credit monitoring going forward.
HB 6607 provides incentives for businesses to adopt standards-based security frameworks. Previously, Ohio and Utah had passed such legislation2. The incentive is that the Superior Court of Connecticut shall not assess punitive damages against any business suffering a data breach, if that business had implemented a standards-based cybersecurity program. In data breach cases, often it is hard to show direct “actual” damages. However, courts can levy punitive damages based solely on statutory violations. If the business had an operating security framework, the Court shall not assess such punitive damages. Frameworks listed by the statute include:
- NIST Cybersecurity Framework; a general framework applicable to all business
- NIST SP 800-171; a framework required for businesses doing business with the DoD
- NIST SP 800-53; a framework used by Federal agencies
- FedRAMP; a security framework for cloud providers who want to do business with the Federal government
- CIS Controls; the Center for Internet Security broadly applicable 20 controls for effective cybersecurity
- ISO 27000 series; the international cybersecurity management framework
- HIPAA security: required by any entity involved with Protected Health Information
- Gramm-Leach Bliley; required security for financial entities
- FISMA; the overarching Federal cybersecurity law
- PCI; Payment Card Industry Data Security Standard
In summary, HB 6607 accepts pretty much ALL standards in the cybersecurity industry. The good news is the Connecticut did not try to create a new cybersecurity standard. This was done by Massachusetts3 in 2009 before cybersecurity standards became more widely accepted. Virtually all businesses should already be implementing one of the above standards. The law also states that the size and scale of that cybersecurity program should be based on factors including “cost and availability of tools to improve information security and reduce vulnerabilities.” So, there is no excuse to not implement one of the frameworks. The advantage of using a formal framework is that they give you a comprehensive approach to good security practices.
There is a lot more taking place on the privacy front. The GDPR (General Data Protection Regulation), covering privacy rights of EU citizens, went into effect in 2018. While protecting only EU citizens, US companies must comply with its privacy requirements. In the absence of a US federal privacy law, states are adopting tougher laws to protect consumers. California has pioneered with the CCPA (California Consumer Privacy Act); Virginia recently passed its own VCDPA (Virginia Consumer Data Protection Act). A big difference between these laws is that CCPA permits private right of action in lawsuits by consumers against breached companies. In a recent precedent setting case, Atkinson v. Minted, Inc4, consumers in California were able to obtain a $5M judgement after Minted suffered a data breach. The affected consumers joined in a class-action and the case achieved standing in Federal District court. Another privacy case in the news is Patel v. Facebook5, a case just settled by the parties for $550M, the largest privacy related settlement ever! This case turned on the application of Illinois’ 2008 BIPA law (Biometric Information Privacy Act).
The takeaways from all these laws and cases are that: privacy law is very complex; transgressions are getting more expensive for businesses; but well-defined paths to avoid costly litigation are laid out for business. Now it's just time to get to work.
The cybersecurity industry needs qualified professionals to do this important, ongoing work. Learn how Quinnipiac University’s MS in Cybersecurity program can prepare you as a knowledgeable thought leader to advance the field of cybersecurity.