The pandemic has proven to be a major challenge for businesses of all sizes, not only in terms of operations but also data security. With the rise in online communications and remote work, there has been an increase in the number of cyberattacks targeting businesses across the country.
In 2021, a record 1,862 data breaches were reported in the United States, compromising the data of around 294 million people. Nearly a quarter of these breaches were caused by ransomware attacks, which is double the number reported in the previous year. While the military reported no data breaches in 2021, the number of breaches in all other sectors increased, with manufacturing and utilities experiencing twice as many as they did in 2020.
Amidst this growing threat landscape, several states have enacted laws to help businesses improve their data security posture. These cybersecurity safe harbor laws offer businesses legal protection from data breach-related lawsuits, as long as they have implemented reasonable security measures.
One of these states is Connecticut, which enacted its safe harbor law on October 1, 2021. Read on to learn more about the law and how it can help your business improve its cybersecurity posture.
Connecticut’s safe harbor law
As new technologies emerge and common threats evolve, even businesses that implemented strong security measures have not been able to prevent every cyberattack. For affected companies, it seems unreasonable to be held accountable and fined for every security breach despite taking every precaution.
This is where Connecticut’s safe harbor law comes in. It provides a way for businesses to avoid being held liable for damages resulting from a data breach, as long as they can prove that they took reasonable steps to safeguard their data. However, this only applies to cases where the breach is alleged to have been caused by “a failure to implement reasonable cybersecurity controls” and not by “gross negligence or willful or wanton conduct.”
In order to be protected under the law, your company must have implemented and maintained a cybersecurity program modeled after one of the industry-recognized frameworks when the data breach occurred. These standards include:
- National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and NIST special publications 800-53, 800-53A, and 800-171
- Federal Risk and Authorization Management Program Security Assessment Framework
- Center for Internet Security Critical Security Controls for Effective Cyber Defense
- ISO 27000 series of standards
If you operate in a highly regulated industry, you may also be subject to federal cybersecurity laws, such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, or the Payment Card Industry Data Security Standard.
All of these standards require you to take specific steps to protect your data, such as identifying and protecting high-value assets, implementing risk management processes, and conducting periodic vulnerability assessments. They also contain guidelines on how to respond to a data breach, including steps to take before and after the incident and how to notify affected individuals.
More than following a recognized framework and complying with industry regulations, you must ensure that your cybersecurity program is tailored to your particular business needs and risk profile. The safe harbor law does not require businesses to meet a one-size-fits-all standard, but instead allows companies to use a risk-based approach when designing their security program. However, you are required to update your program within a specific time frame to reflect changes in the law or standard it is based on.
What this means for your company
Connecticut’s safe harbor law is a much-needed piece of legislation that will provide some relief to your business should it suffer a data breach. By providing you with legal protection from punitive damages, the law allows you to focus on improving your cybersecurity posture without having to worry about monumental fines and penalties.
However, this does not absolve you of all responsibility for a data breach. You must still take reasonable steps to protect your data, and you may still be held liable if the breach is caused by your negligence.
Safe harbor laws are a good step forward, but it’s only one part of the larger cybersecurity puzzle. As businesses the world over grapple with data breaches and other security issues, it’s crucial for you to stay up to date on the latest cybersecurity trends and best practices.
If you’re unsure of where to start, consider seeking the help of a cybersecurity expert like Charles IT. We have the knowledge and expertise to help your organization meet various security and compliance requirements and protect your systems and data. Contact us today to learn more about our services!