News & Insights

Recent Posts

Covid-19: Assessing the Legal Risk of Infectious Diseases

WSHB Employer Alert: FFCRA and DOL Regulations 4.2.20

Employment Practices Consultation & COVID-19

It’s a No-Win Situation: The Perils Facing Hospitals Due to the Coronavirus

COVID-19 Employer Alert: Summary of the CARES Act

COVID-19: New York Malpractice Law Alert

COVID-19 Employer Alert: Enactment of Families First Coronavirus Response Act (FFCRA)

WSHB Co-Founder Stephen Henning to Announce the Winner of CLM's 2020 Outside Counsel Professional of the Year Award

WSHB Partner Robert Hellner Shares Mediation Tactics at CLM’s 2020 Annual Conference

Risk Transfer and Contractual Indemnification – Who Gets Left Holding the Bag?

New Developments in Challenging Certificates of Merit — Seeking Dismissal for Failure to Concurrently File Certificate with the Original Petition

Seven Habits that Define a Highly Effective Claims Team

Social Media Do's and Don'ts

WSHB Partner Kelly Waters Named to NJBIZ's 2020 Best Fifty Women in Business List

WSHB Names Andrew S. Kessler as Managing Partner of the Firm's Philadelphia Office

WSHB Employment Alert: California Law Banning Arbitration Agreements Temporarily on Hold

Sam McDermott on the Dos and Don’ts of Construction Project Termination

Full Disclosure! Insurer Beware: Colorado’s New Automobile Policy Disclosure Law Has Teeth!

Andrew S. Kessler Named Legal Counsel for Northeast Community Center for Behavioral Health

WSHB Elevates Ten Partners to Defined Equity Status

Eleven WSHB Attorneys Elected Into Partnership

Eighteen Attorneys Elected to WSHB Senior Counsel

Supreme Court Allows Suit Over Website Accessibility

Strategies for Defending Legionella and Mold Claims

Residential Revolution

Time Limit Demand Issues Arrive in North Carolina

Temp Agency Absolved of Liability in Hotly Contested Action

Alternative Fee Agreements and Construction Issues: Oil and Water or Perfect Pairing!?

WSHB's Graham Miller Helps Demystify Construction Claims in the Pacific Northwest

WSHB Partner Janice Michaels Named to The Best Lawyers in America© 2020 List

One Bad Apple: Navigating through Sexual Battery and other Intentional Torts

Leading Construction Litigator Cynthia Tari Joins WSHB's Dallas Office

WSHB’s Philadelphia Partner Secures Summary Judgment in Catastrophic Premises Liability Matter

WSHB Welcomes New Partner Andrew Kessler

New Bill In New York Proposed for Signature by Governor Andrew Cuomo is Set To Make Employers "SWEAT"

Renowned Litigator Jason Williams Joins WSHB's Nevada Office

Litigator Richard Young Joins WSHB's Nevada Office

Published Appellate Opinion Upholding Summary Judgment in Favor of Commercial Tenant Against $3.5M Subrogation Suit

17 WSHB Lawyers Honored as 2019's Rising Stars

Arizona Supreme Court Allows Court of Appeals Decision Expanding Defendants' Ability to Enforce Settlements to Stand

WSHB’s Jason Klein Breaks Down the Good, the Sad and the Funny Sides of Claims

Litigating Sexual Battery and Other Intentional Torts: Navigating the One Bad Apple in Medical Negligence

WSHB Partner Michelle Arbitrio to Moderate Panel on Insurance and Risk Management in the Age of Mass Shootings

Girl on Fire: The Price of Pursuing the Truth in the #MeToo World

Pragmatic Issues on Settlement Versus Trial for Legal Malpractice Cases

A Withering Assault

The Natural Progression of Natural Disasters

Nevada’s Governor Signs Chapter 40 Reform Bill

WA Condo Law Changes Hope to Curtail Frivolous Defect Lawsuits and Stimulate Production

WSHB Co-Founder Stephen Henning Steps Into the Spotlight at this Year's West Coast Casualty Seminar

Professional Liability Expert Weighs In On Protecting Your Practice From Opioid Doc Arrest Fallout

Penalties, Punitives, and Granny Cams: The Escalating Lure of Elder Abuse Litigation

Are Structured Settlements Still Relevant

Game Changing Trends Affecting Construction

He's Not My Guy: The Joint-Employer Doctrine

WSHB Case Update: DOL Proposes Increase to Minimum Salary Threshold

WSHB and DWF Announce Exclusive Association

Employees Have a Private Cause of Action Under Pennsylvania's Medical Marijuana Act

Washington State Supreme Court Weighs in on Spearin Doctrine and Limiting Contractor Liability for Construction Defects

Employment Alert: Executive Order Said to Require Private Employers with 100 Plus Employees to Make Mandatory Vaccinations and/or Weekly Testing

WSHB New Jersey Client Alert: Covid-19 Virus Exclusion

Connecticut Enhances Data Privacy Laws and Protects Businesses Against Punitive Damages for Data Breaches

September 2, 2021

Joining Utah and Ohio, on October 1, 2021, Connecticut will become the third state in the nation to enact a data breach litigation “safe harbor” statute. Public Act No. 21-119 provides a layer of protection to businesses against lawsuits brought against them seeking punitive damages for data breaches. The legislature also passed a companion bill, HB 5310, outlining enhanced requirements for cybersecurity and protection of personal information. With ransomware attacks on the rise, Connecticut is taking measures to protect the private information of its residents as well as providing businesses with a standard framework to assist them in shielding their assets from future attack.

Limitations on Punitive Damages in Data Breach Litigation

According to the new law, Connecticut courts cannot assess punitive damages against a business that “created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information.” With ransomware attacks increasing against businesses of all sizes and types, even small business owners need to implement a cybersecurity program to protect the data of their company as well as their customers. This law recognizes that businesses which attempt to safeguard their employees and customers information may still be liable to others for a data breach. Now in Connecticut, so long as a business has a written cybersecurity program that meets the requirements of Connecticut law, they will be shielded from punitive damages brought by plaintiffs.

What is Required in Connecticut to Have a Cybersecurity Program Comply with the Law?

Cybersecurity programs in Connecticut must comply with certain standards to qualify for the new safe harbor provision. The statute points to several resources that provide guidelines for businesses as they design and implement cybersecurity programs. Generally, the cybersecurity program must protect and keep secure personal and confidential information against any threats or hazards presented by potential ransomware attacks or hacking by outside parties. Businesses should implement safeguards to thwart unauthorized access and acquisition of such information that could result in damage to their employees, customers and others.

The statute refers to model guidelines that businesses may use to create or improve their cybersecurity safeguards, including:

  • Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology;
  • The National Institute of Standards and Technology’s special publication 800-171;
  • The National Institute of Standards and Technology’s special publication 800-53 and 800-53a;
  • The Federal Risk and Management Program’s “FedRAMP Security Assessment Framework”;
  • The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense”; and
  • The “ISO/IEC 27000-series” information security standards published by the International Organization for Standardization and International Electrotechnical Commission.

Who is a Covered Entity Under the New Law?

The Connecticut “safe harbor” law for data breaches explicitly defines which businesses and entities will be covered by its provisions. Covered entities are defined as businesses that “access, maintain, communicate, or process personal or restricted information through one or more systems, networks, or services located inside or outside the State of Connecticut.” Basically, any business that stores, handles, or processes personal or restricted information is covered by this law.

A companion bill, which strengthened cybersecurity protections across the board, expanded the definition of personal information to include not only basic identifying information such as name, social security number, driver’s license, etc., but also taxpayer identification, passport number, IRS identification numbers, medical history or treatment, health insurance policy information, biometric information obtained electronically, and user name or email address as well as passwords.

The safe harbor law also adds the term “restricted information” in addition to “personal information.” Restricted information is defined in the statute as “any information about an individual, other than personal information or publicly available information…. that can be used to distinguish or trace the individual’s identity…. if the information is not encrypted, redacted, or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to a person or property.” Again, this translates to an expansion of the type of information protected by this new legislation. Businesses should take measures to secure restricted information by implementing encryption, or other technologies to protect the identities of those linked to the information.

New Notification Requirements

The new laws, which go into effect on October 1, 2021, also shorten the time period in which businesses have to notify affected parties and the Attorney General of any data breaches. The prior deadline was 90 days and with the new revisions, businesses now have to report “without unreasonable delay”, but at the latest within 60 days of knowledge of the breach. Business must also now specifically notify its users who have had their user names or passwords breached and request that they create new passwords for their own protection as soon as possible.

Employer Takeaways

  • Review your current cybersecurity plan to ensure it complies with the framework outlined in the statute, or if you don’t yet have a cybersecurity plan use the framework to create a plan.
  • Note the expanded definitions of personal and restricted information when reviewing and creating cybersecurity plans and determine whether the retention of such information is necessary.
  • Be aware of the shortened notice requirements when responding to a data breach.
  • Know that compliance with standards outlined in the law will protect against punitive damages brought as the result of a data breach.

The Cybersecurity & Data Privacy practice group at WSHB is comprised of a national team of skilled attorneys who resolve and respond to our clients’ cybersecurity and data privacy needs. We offer a 24/7 response service for data breach emergencies. WSHB provides assistance in all matters concerning cyber risk management, data breaches, cyber insurance coverage, and tactful defense and litigation strategy. We monitor recent cyber trends and implement proven and cost effective solutions for our clients’ needs. Do not hesitate to reach out to the author of this article or a member of our team, should you have questions or concerns on how to properly implement the requirements of this new legislation into your cybersecurity program.


Privacy Policy      |      Site Map

© 2021 Wood Smith Henning & Berman LLP

Subscribe to our mailing list

* indicates required