Connecticut Leads The Country With Cybersecurity Initiatives- Under a new Connecticut law, businesses and organisations that have been hacked could be shielded from responsibility provided they have adopted and implemented proper cybersecurity practises. The new rule is intended to encourage businesses and organisations to improve their digital defences.
While the Connecticut legislature was unable to pass a privacy law similar to those passed in California, Colorado, and Virginia, it did pass the “Act Incentivizing The Adoption Of Cybersecurity Standards For Businesses” – the bill was drafted by the legislature’s Commerce Committee and passed unanimously in the House and Senate in June, and will take effect on October 1, 2021.
This is one of a number of state and federal legislation that may have an impact on how MSSPs protect customer data. Connecticut’s Cybersecurity Standards Act, like many other data security legislation established across the country, compels corporations and organisations like MSSPs to implement cybersecurity plans with appropriate controls.
Connecticut’s Cybersecurity Standards Act requirements are more general, and reasonable controls are established through a safe harbour, rather than outright defining what reasonable controls are by referencing requirements from other states’ laws. This Cybersecurity Standards Act creates an affirmative defence to a civil lawsuit brought against a covered entity for a data breach involving personal and/or restricted information.
The bill stipulates that if a data breach occurs, the courts will not be able to award punitive penalties if the business or organisation had a cybersecurity policy that included protections for securing the information revealed in the data breach. When the lawsuit is brought under Connecticut law or in Connecticut state courts, as well as when the defendant’s business or organisation can establish that it followed one of the industry-recognized cybersecurity frameworks, the affirmative defence is applicable.
What Cybersecurity Standards Are Referenced?
The following are some of the cybersecurity standards that are mentioned in this law:
National Institute of Standards and Technology
- Framework for Improving Critical Infrastructure Cybersecurity
- Special Publication (SP) 800-171
- SP 800-53 and 800-53a
Federal Risk and Management Program
- FedRAMP Security Assessment Framework
Center for Internet Security
- Center for Internet Security Critical Security Controls for Effective Cyber Defense
International Organization for Standardization and the International Electrotechnical Commission
- ISO/IEC 27000 series
There will be mixed reactions to the implementation of any new law. While some may applaud the policy, others may believe it will not have the intended impact. LI Tech Advisors’ CEO and Founder, Anthony Buonaspina, BSEE, BSCS, CPACC, said:
I had no idea Connecticut was so proactive in encouraging businesses and organisations to strengthen their cybersecurity.
Connecticut has chosen to reward businesses rather than penalise them. Basically, honey attracts (and protects) more businesses than vinegar, and it allows businesses to avoid huge fines by simply improving security and adhering to all state-mandated security rules.
This, I believe, will result in a significant increase in enterprises contacting MSSPs to fill in the gaps and plug the holes in their IT security infrastructure. My advice to clients has always been that you should create bigger walls and broader moats to improve your security to a certain extent. Clients, on the other hand, frequently postpone the expense and “hope for the best.”
This adds to the urgency with which they must act to install these basic safeguards as quickly as possible, because the costs of bolstering security can now be viewed as an investment, comparable to cybersecurity insurance. You can save a lot of money if and when a security breach occurs by simply paying a little fee now.
You’ll also see the necessity for an MSSP to “certify” that a corporation has met all of the state’s guidelines, similar to the WCAG ADA accessibility compliance. Many MSPs will, in my opinion, pivot their business models to become more MSSP-like. MSPs’ future, in my opinion, is swiftly becoming a “race to the bottom,” whereas MSSPs’ future is rapidly becoming a “race to the top.” I believe that many states will swiftly adopt this new method to “incentivizing enterprises.”
“I can see exactly how this will end up,” one online forum participant said. Companies will perform the bare minimum to tick all of the audit’s boxes and then be free of all accountability. Companies should be held accountable for the repercussions if they choose to take risks and cut costs.”
“I’m not convinced rewards are the proper thing here,” another user said. You put security in place because you value it, not because you’ve been promised a pony. Allow enterprises with shoddy security to fail. It paves the road for secure/mature organisations to use security as a differentiator and advantage.”
Cybersecurity is frequently considered as a cost centre by many corporations and organisations. Many people do not consider data security to be a required cost of doing company. Connecticut seeks to incentivize businesses and organisations who go above and above in terms of data security. There are also business owners and leaders all across the world who have been alarmed by reports of hacks, ransomware demands, and data breaches. The very concept of it can be frightening. Business owners and executives will constantly operate under the assumption that they could be the next to go.
If you live in Connecticut or have business ties to the state, this could be a perfect opportunity to gain some piece of mind thanks to some new guidelines and protection from the Connecticut government.
Instead than condemning and penalising the victims, as has been the case for many years, the new rule will reward the appropriate behaviour. Will the state of Connecticut’s decision set a precedent? Is it likely that other states will follow suit?