Effective October 1, 2021, covered entities in Connecticut shall not be liable for punitive damages for alleged failure to implement reasonable cybersecurity controls if they created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards to protect PI and restricted information, and conforms to industry recognized frameworks (i.e., NIST, ISO); where applicable, revisions to state and federal cybersecurity provisions and the PCI DSS must be adhered to within 6 months of the publication of such revision.