How Can Your Business Qualify Under the Safe Harbor Law?

How Can Your Business Qualify Under the Safe Harbor Law?

Several states across the United States, including Connecticut, recently passed the Cybersecurity Safe Harbor Law. This landmark legislation is important for both businesses and consumers because it helps protect companies from liability for cybersecurity breaches while ensuring they are meeting the minimum cybersecurity standards that further consumer data privacy.

In principle, the Cybersecurity Safe Harbor Law aims to protect companies from being held liable for any cybersecurity breaches that occur on their networks — but under one critical requirement. To be protected under this law, companies must implement a cybersecurity program based on established standards, such as:

  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework, including NIST 800-53A and NIST 800-171
  • The Federal Risk and Authorization Management Program Security Assessment Framework
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA), for regulated entities
  • The Federal Information Security Management Act, for regulated entities

As long as you can prove that your business is compliant with a recognized framework when a cyberattack happens, your organization is protected from privacy lawsuits and other legal claims related to that attack.

Connecticut’s Cybersecurity Safe Harbor Law

Also known as An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses, Connecticut’s Cybersecurity Safe Harbor Law was signed on July 6, 2021, and went into effect on October 1, 2021. Like other laws of its kind, it protects businesses from punitive damages in any tort cases where organizations are sued for their “failure to implement reasonable cybersecurity controls” resulting in a data breach. However, the law doesn’t apply to cases where the business failed to implement cybersecurity measures due to “gross negligence or willful or wanton conduct.”

By offering legal protection instead of punishment such as exorbitant fees, the state encourages businesses to deal with cybersecurity ahead of time rather than wait for worst-case scenarios. 

How Can Your Business Qualify Under the Safe Harbor Law?

To qualify under the Cybersecurity Safe Harbor Law, your business must get compliance status in at least one of the recognized cybersecurity frameworks. Regular businesses can choose any framework to implement, but those that belong in a highly regulated industry should gain compliance specifically from their industry's governing body, like HIPAA for healthcare.

Once you decide on a framework, the first step is to familiarize yourself with its physical, organizational, and technical safeguards requirements. Cybersecurity standards may vary in certain aspects, but all of them require businesses to implement a common set of core cybersecurity initiatives in order to be certified. These cybersecurity requirements are nonnegotiable, and are as follows:

1. Disaster recovery plan (DRP)

A DRP is critical for ensuring that your systems can be quickly restored in the event of a cybersecurity incident or natural disaster, as well as for minimizing disruption and downtime. A solid DRP strategy shows auditors that you can guarantee the safety of your systems and data even if you suffer a data breach.

2. Robust security measures

Any business that seeks to comply with the recognized cybersecurity frameworks must have the following security measures in place:

  • Firewalls – Firewalls scan all incoming and outgoing traffic for malicious activity and block any found threats. They can be used to protect both individual devices and entire networks and can be configured to allow or block specific types of traffic as needed. They are essential for protecting against phishing scams and attacks from known malicious sources, like botnets.
  • Antivirus and anti-malware software – Both antivirus and anti-malware software are critical in any cybersecurity strategy; antivirus scans for and removes viruses, while anti-malware handles malicious applications and activities. When implemented together, they can protect against data theft and device compromise or damage.
  • Encryption – Encryption transforms readable data into an unreadable format, making it impossible for someone who doesn't have the decryption key to read it. Encryption is commonly used in cybersecurity to prevent hackers from accessing sensitive information. It can also be used to create digital signatures, which can help verify the identity of the sender or recipient of a message. 
  • Multifactor authentication (MFA) – MFA uses more than one method of verifying a user’s identity. These methods can include something the user knows (like a password), something the user has (like a token or phone), or something the user is (like a biological feature). MFA makes it harder for hackers to take over an account, as it would necessitate them to have access to more than one piece of information.

3. Cybersecurity awareness training

By participating in cybersecurity awareness training, employees will understand the basics of cybersecurity and how to protect themselves and the company from cyberattacks. Employees who are adequately trained in cybersecurity are less likely to fall for a scam or be compromised by a cyberattack because they know how to identify malicious emails, phishing attempts, and other common tactics cybercriminals use. Conversely, employees who are not aware of the dangers posed by cyberattacks are more likely to fall for a scam or get their accounts hacked, thus putting their organization at higher risk of being compromised. 


Related reading: Why Security Awareness Training Is Essential for CMMC Compliance


4. Regular cybersecurity defenses testing

Cybersecurity defenses are only effective if they are constantly updated and tested. Malicious threat actors are always coming up with new ways to penetrate networks, so it’s important to make sure your defenses can protect against newer and more sophisticated attacks. By regularly testing your cybersecurity defenses, you can find and fix any vulnerabilities before they can be exploited.

5. Up-to-date records of cybersecurity incidents and breaches

By tracking all of your past cybersecurity incidents and/or breaches, you can better understand the types of attacks that are being launched against your company. This information is essential in developing an effective incident response plan, as well as identifying key areas in your cybersecurity plan that may need improvement.

Meeting these cybersecurity requirements takes you one step closer to gaining compliance, as well as having protection under the Cybersecurity Safe Harbor Law. If you’re not sure whether you meet the cybersecurity standards set out by the Cybersecurity Safe Harbor Law in Connecticut, consult with a trusted security expert: Charles IT. Talk to a specialist today!

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”