Connecticut Amends Data Breach Notification Requirements and Enacts Cybersecurity “Safe Harbor”

Connecticut Amends Data Breach Notification Requirements and Enacts Cybersecurity “Safe Harbor”
Cyber Security & Data Privacy Client Alert August 3, 2021

On June 16 and July 6, 2021, Connecticut Gov. Ned Lamont signed into law two new cybersecurity bills that keep Connecticut in line with the national trend of expanding cyber incident disclosure obligations, shortening notification timelines, and incentivizing the implementation of recognized cybersecurity standards. Both laws take effect on October 1, 2021. 

The first law, “An Act Concerning Data Privacy Breaches,” amends Connecticut's existing data breach law in a number of important ways, among them:

The second law, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses,” establishes a Cybersecurity ‘Safe Harbor’ statute.

The new law will establish an affirmative defense against tort claims alleging that a business's failure to implement reasonable cybersecurity controls caused a data breach. Businesses that have created, maintained, and complied with a written cybersecurity program can take advantage of this "safe harbor" if their written cybersecurity program complies with one or more of the industry-recognized frameworks (such as NIST SP 800-171, NIST SP 800-53, and the ISO/IEC 27000-series) or applicable federal laws (such as the cybersecurity requirements of the Health Insurance Portability and Accountability Act). 

Connecticut is the third state, after Ohio and Utah, to enact a cybersecurity safe harbor statute.

The new laws take effect on October 1, 2021. Companies impacted by these new laws should consider the potential impact on their current policies and procedures. If you have any questions, please contact Michael P. O'Mullan at, Labinot Alexander Berlajolli at, Robert N. Holup at, or any other attorney in Riker Danzig’s Cyber Security & Data Privacy practice.