Getting hit by a cyberattack can be devastating for any business. Not only can it cost in terms of damages and recovery, but you can be sued if the attack leads to a data breach and loss of sensitive information. There are cases where companies have had to pay millions of dollars in damages because they did not have adequate security measures in place to protect personal and proprietary data.
This is where implementing a robust cybersecurity program can help. By taking steps to safeguard your networks and data from unauthorized access, use, or destruction, you can help reduce the chances of a successful attack and minimize the damage if one does occur.
To incentivize businesses to be proactive in their cybersecurity efforts, several US states have introduced “safe harbor” laws. These laws provide protection from data breach litigation if a company can demonstrate that it had implemented and maintained a cybersecurity program that meets industry-recognized standards at the time of the breach. Connecticut’s safe harbor law was signed on July 6, 2021 and went into effect on October 1, 2021.
Connecticut’s cybersecurity safe harbor law
House Bill 6607, or An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses, protects businesses that implement reasonable cybersecurity controls from punitive damages in certain data breach cases.
That is, your company could be shielded from liability in case you experience a breach of personal or restricted information if you have a cybersecurity program modeled after one of the industry-recognized frameworks or federal laws. But that is only if the breach is alleged to have been caused by “a failure to implement reasonable cybersecurity controls” and not by “gross negligence or willful or wanton conduct.”
So what are some of the industry-recognized frameworks that you can follow to qualify for safe harbor protection?
Acceptable frameworks for meeting safe harbor requirements
The following cybersecurity frameworks are generally considered the gold standard for developing a comprehensive cybersecurity program.
- National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and NIST special publications 800-53, 800-53A, and 800-171
- Federal Risk and Authorization Management Program Security Assessment Framework
- Center for Internet Security Critical Security Controls for Effective Cyber Defense
- ISO 27000 series of standards
For businesses that operate primarily in the United States, either the NIST CSF or the NIST 800-53 is a good place to start. NIST 800-171, on the other hand, is more appropriate for companies competing for government contracts or those working in research, as it’s specifically tailored for organizations handling controlled unclassified information. Meanwhile, ISO 27000 is a great choice for companies with global operations because it’s an internationally recognized standard.
But unless you work in a highly regulated industry, such as healthcare or finance, where you are required to comply with particular standards or federal laws, NIST CSF is the best option for meeting Connecticut’s safe harbor requirements.
It’s also important to note that aside from following a recognized framework, you must implement a cybersecurity program tailored to your company's specific risks. This means you may need to go beyond the framework and implement additional measures as necessary. You are also required to update your cybersecurity program within a specific time frame if there are changes to the law or standard it is based on to ensure it remains effective.
How NIST CSF qualifies you for safe harbor
The NIST CSF is a set of guidelines and best practices for managing cybersecurity risks. It is organized around five core functions: identify, protect, detect, respond, and recover. Each function outlines appropriate cybersecurity capabilities, projects, processes, and daily activities that organizations should consider to reduce cyber risks.
- The identify function helps you understand your business’s cybersecurity risks. This includes developing an understanding of your business processes and systems, as well as identifying which assets need to be protected.
- The protect function helps you put in place safeguards to prevent and/or detect unauthorized access to systems and data. This includes implementing security controls such as access management and data protection measures.
- The detect function helps you identify cybersecurity incidents and potential threats in a timely manner. This includes implementing activity monitoring and logging mechanisms.
- The respond function helps you contain and mitigate the impact of cybersecurity incidents. This includes developing and implementing incident response plans, managing communications, and conducting forensic investigations.
- The recover function helps you restore normal operations after a cybersecurity incident. This includes backing up data and systems, as well as implementing improvements to prevent or mitigate future incidents.
The NIST CSF is a good fit for meeting Connecticut’s safe harbor requirements because it is a comprehensive framework that covers all aspects of cybersecurity. It is also regularly updated to reflect changes in the threat landscape and emerging technologies.
Additionally, the NIST CSF is widely adopted and has been endorsed by the government, industry, and academia. This means that there are a wealth of resources and support available for organizations looking to implement the framework.
Finally, the NIST CSF is flexible and can be customized to fit the needs of any organization. This makes it a good choice for businesses of all sizes and industries.
For more information on Connecticut's safe harbor law, NIST CSF, or other cybersecurity-related topics, don't hesitate to contact us. We would be happy to answer your questions and help you develop a cybersecurity program to keep your business safe!