Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Connecticut: Cybersecurity bill enters into law "incentivising entities to take proactive steps to implement a written cybersecurity program"

House Bill ('HB') 6607 for an Act Incentivizing the Adoption of Cybersecurity Standards for Businesses entered, on 24 June 2021, into law without signature by Governor Ned Lamont and establishes an exemption for businesses facing penalties as a result of a data breach.

enfi / Essentials colletion /

In particular, HB 6607 establishes a defense in any cause of action founded in tort brought under the laws of Connecticut that allege a failure to implement reasonable cybersecurity controls resulting in a data breach concerning personal information or restricted information. Notably, Connecticut has been active in updating its data breach legislation and recently signed HB 5130 for an Act Concerning Data Privacy Breaches (codified as Public Act 21-119) which amends Connecticut's data breach notification law by:

  • broadening the definition of personal information to include additional categories of sensitive information;
  • shortening the time period to notify consumers and the Attorney General ('AG') of a security breach from 90 to 60 days; and
  • providing confidentiality for material obtained by the AG through Civil Investigative Demands.


Sherwin M. Yoder, Partner at Carmody Torrance Sandak & Hennessey LLP, highlights the key differences in HB 6607 and HB 5130 noting, "If [HB 5130] is a 'stick', spurring Connecticut businesses to increase data privacy and cybersecurity safeguards, then HB 6607 may be a 'carrot'. This second piece of legislation […] incentivises entities who store personal information to take proactive steps to implement a qualified written cybersecurity program."

More specifically, HB 6607 prevents the Superior Court from assessing punitive damages against a covered entity if it created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal or restricted information and that it conforms to an industry recognised cybersecurity framework. Furthermore, HB 6607 stipulates an exemption for the defence where a failure to implement reasonable cybersecurity controls was the result of gross negligence or wilful or wanton conduct. Moreover, the industry recognised frameworks set out in HB 6607 include:

  • National Institute of Standards and Technology's ('NIST') Framework for Improving Critical Infrastructure Cybersecurity;
  • NIST's Special Publication 800-171;
  • NIST's Special Publication 800-53 and 800-53a;
  • Federal Risk and Management Program's FedRAMP Security Assessment Framework;
  • Center for Internet Security Critical Security Controls;
  • International Organization for Standardization and the International Electrotechnical Commission 27000 series information security standards;
  • Payment Card Industry Data Security Standard Security Standards; and
  • Federal Information Security Modernization Act.

Moving forward

Yoder recommends organisations consider the following actions:

  • "Take stock of data practices and privacy and information security policies: Do you know where and how you are handling each of the new categories of 'personal Information'? Do your public-facing notices signal to costumers that you recognise your expanding obligations regarding their data? Do you have written policies that empower employees to classify and protect personal data and that enable IT to maintain industry-standard technical and physical safeguards?
  • Update the incident response plan: Does the plan account for the shortened breach notification deadline? Does it address coordination of compliance obligations where the Health Insurance Portability and Accountability Act of 1996 Breach Notification Rule may apply?
  • Review third party contracts: Do your service provider contracts need to be updated to address definitions pertaining to personal data and the parties' responsibilities regarding incident response and breach notification?
  • Review insurance coverage: Do you have cybersecurity insurance? Does it need to be updated to cover incident response costs resulting from a data breach involving the new categories of 'personal Information'."

Finally, organisations have a short turnaround period with both bills entering into effect on 1 October 2021.

Edidiong Udoh Privacy Analyst
[email protected]

Comments provided by:
Sherwin M. Yoder Partner
[email protected]
Carmody Torrance Sandak & Hennessey LLP