United States of America: Defense against cybersecurity liability adopted by General Assembly

The Act Incentivizing the Adoption of Cybersecurity Standards for Businesses (House Bill 6607) moves into force without signature of the Governor. The grace period ends on 1 October 2021. The bill creates a defense in any action brought under Connecticut law alleging a failure to implement adequate cybersecurity controls that results in a data breach involving personal or restricted information. In detail, Superior Courts shall not assess punitive damages against a covered entity if the entity created, maintained and complied with a written cybersecurity program that conforms to an industry recognized cybersecurity framework. Accepted frameworks can be found in subsection c. Covered entity means a business that accesses, maintains, communicates or processes personal information or restricted information.