Ask Reggi Your Question Now
Can you summarize HB-6607?
House Bills > AN ACT INCENTIVIZING THE ADOPTION OF CYBERSECURITY STANDARDS FOR BUSINESSES.
Short Summary
This Act aims to incentivize businesses to adopt cybersecurity standards. It applies to businesses that access, maintain, communicate, or process personal information or restricted information in or through systems, networks, or services located in or outside Connecticut. The Act defines key terms such as ‘business,’ ‘covered entity,’ ‘data breach,’ ‘personal information,’ and ‘restricted information.’ In tort actions alleging a data breach resulting from the failure to implement reasonable cybersecurity controls, the Superior Court shall not assess punitive damages against a covered entity if it has a written cybersecurity program that complies with an industry recognized cybersecurity framework. The Act also outlines the factors to consider in designing a cybersecurity program and clarifies that it does not affect certification processes in class actions or limit the authority of the Attorney General or the Commissioner of Consumer Protection to seek relief.
Whom does it apply to?
Businesses that access, maintain, communicate, or process personal information or restricted information in or through one or more systems, networks, or services located in or outside Connecticut
What does it govern?
Incentivizing the adoption of cybersecurity standards for businesses
What are exemptions?
The provisions of this section do not apply if the failure to implement reasonable cybersecurity controls was the result of gross negligence or willful or wanton conduct.
What are the Penalties?
The Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework.
Jurisdiction
Connecticut