Ask Reggi Your Question Now
Can you summarize 42 CTGS 901?
Miscellaneous Provisions - Sec. 42-900 to 42-901 > Adoption of cybersecurity controls by businesses. Exemption from punitive damages.
Short Summary
This legal document pertains to the adoption of cybersecurity controls by businesses in Connecticut. It defines key terms such as ‘business’, ‘covered entity’, ‘data breach’, ‘personal information’, and ‘restricted information’. The document states that in tort actions alleging failure to implement reasonable cybersecurity controls resulting in a data breach, the Superior Court shall not assess punitive damages against a covered entity if it has a written cybersecurity program that complies with an industry recognized cybersecurity framework. The document provides a list of industry recognized frameworks and regulations that a covered entity’s cybersecurity program can conform to. It also outlines the requirements for a covered entity’s cybersecurity program, including protecting the security and confidentiality of personal and restricted information, protecting against threats or hazards to the information’s security or integrity, and protecting against unauthorized access to and acquisition of the information. The document clarifies that certification in class actions founded in tort is not affected or limited by this section. It also does not limit the authority of the Attorney General or the Commissioner of Consumer Protection to seek relief, and it does not affect or limit any other requirements specified in other sections of the law.
Whom does it apply to?
Businesses that access, maintain, communicate, or process personal information or restricted information in or through one or more systems, networks, or services located in or outside Connecticut.
What does it govern?
Adoption of cybersecurity controls by businesses. Exemption from punitive damages.
What are exemptions?
The provisions of this section do not apply if the failure to implement reasonable cybersecurity controls was the result of gross negligence or willful or wanton conduct.
What are the Penalties?
Punitive damages shall not be assessed against a covered entity if it created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework.
Jurisdiction
Connecticut