CT HB06607

Courts shall not assess punitive damages in tort cases alleging data breaches if a covered entity created, maintained and complied with a written cybersecurity program conforming to an industry-recognized framework, unless the breach resulted from gross negligence or willful/wanton conduct.

Acceptable cybersecurity frameworks include current versions of NIST standards (800-171, 800-53/53a), FedRAMP, Center for Internet Security Critical Security Controls, ISO/IEC 27000-series, HIPAA security requirements, Gramm-Leach-Bliley Act Title V, FISMA, HITECH Act requirements, and Payment Card Industry Data Security Standard.

Covered entities must update their cybersecurity programs within six months of any revision to the adopted framework or regulatory requirements.

Cybersecurity programs must be designed to protect security and confidentiality of personal and restricted information, defend against threats to information integrity, and prevent unauthorized access creating material risk of identity theft or fraud.

Program scope and scale shall be based on entity size and complexity, nature of activities, information sensitivity, and cost and availability of security tools; does not limit Attorney General or Consumer Protection Commissioner authority or other state data security requirements.