Connecticut 'Incentivizing Cybersecurity' Law

     It's indeed an infrequent occasion these days where I find myself pleasantly surprised by a new law in the Cybersecurity/Privacy realm. Yet here I am, delighted and impressed by Connecticut's new 'Act Incentivizing the Adoption of Cybersecurity Standards for Businesses', which was enacted this month.

   So what is this new law exactly?

   It is a law that allows companies who comply with one or more of several listed cybersecurity frameworks to raise an affirmative defense preventing them from being liable for 'punitive damages.'

   What's an affirmative defense?

   Unlike a typical defense where the defendant seeks to prevent the plaintiff from proving that the defendant acted in a manner that satisfies the required elements that define the law in question, an 'affirmative defense' is where the burden of proof is shifted, and that even if the plaintiff proves its case, the defendant has the opportunity prove that it met the elements of the affirmative defense and so it is not liable either wholly or in part. In the case of this law, it is not a 'complete defense'. The defendant would still be liable for actual damages but would not be liable for the often much greater 'punitive damages.'


   What are 'punitive damages?'

   Unlike actual damages, punitive damages are not designed to make a person or entity whole. They are designed to punish the defendant so that they change their behavior. These are often used in cases where actual damages are minor and perhaps not worth suing about, and so the company in question never changes its behavior because it is cheaper or less burdensome not to make changes. Punitive damages thus provide the incentive for change.


   What are the cybersecurity standards that are referenced under this law?


  1. Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST);
  2. NIST 800-171;
  3. NIST 800-53 and 800-53a;
  4. FedRAMP;
  5. Center for Internet Security
  6. Critical Security Controls for Effective Cyber Defense;
  7. ISO/IEC 27000 series.

   Under some circumstances:

  1. HIPAA;
  2. Gramm-Leach-Bliley Act;
  3. FISMA;
  4. HiTECH;
  5. PCI.

     Suppose you are located in Connecticut or have business connections to Connecticut. In that case, this is a great and rare opportunity to have a little peace of mind with some clear rules and protection from the state government. If you have any questions or concerns regarding this law, don't hesitate to give us a call or shoot us an email, and we will be happy to assist.

Keith J. Barry, Esq.
VP of Compliance

Keith J. Barry joined Digital Edge in 2013. Keith possesses a BA in Computer Science, a Juris Doctor degree from Brooklyn Law School, as well as several industry certifications including AWS Cloud Architect, CompTIA Network+, and CompTIA Server+. His career has mirrored his diverse interests, and Keith has experience on the technical side as a senior systems administrator, and on the legal/business side as an attorney and cybersecurity compliance officer.

Was this article helpful?