From October 1, 2021, companies who can show that they have adhered with a written cybersecurity program will not be liable for damages if they are alleged of failing to implement reasonable cybersecurity controls. The Connecticut General Assembly passed the Act which gives companies very clear parameters to avoid paying damages in case of a data breach.
The Act states that any organization that has created, maintained, and complied with a written cybersecurity system will not be liable to punitive damages. The program must contain administrative, technical, and physical safeguards for the protection of personal or restricted information. It must conform to an industry recognized cybersecurity framework (i.e., NIST, ISO). It should be designed to protect:
- Against any threats or hazards to said information
- The security and confidentiality of personal information
- Against unauthorized access to and acquisition of the information that would result in risk of identity theft or other fraud to the individual.
There are some key aspects that need to be considered with creating a program like this. The size and complexity of the organization must be measured as well as the nature and scope of the activities within the company. The sensitivity of the information that is collected needs to be a key consideration, as does the cost and availability of tools to improve information security and reduce vulnerabilities. Provided the organization implements a satisfactory program then in the event of a data breach occurring they would not be expected to pay damages.
While it is reassuring to see clear indications on how your company can avoid being liable for damages it can still be confusing to know whether your company has done all they can with the parameters set within this Act. Value Privacy can provide a full Privacy Health Check where we can assess your processes and policies as well as check to see where you may have issues with your security. We can provide a clear report and help you to implement any necessary adjustments that might need to be made. Contact us now to assess your company’s privacy needs.
