Connecticut just lately handed two cybersecurity legal guidelines that may take impact October 1, 2021. The brand new legal guidelines change Connecticut’s present breach notification necessities and set up a secure haven for corporations that create and preserve a written safety program data know-how that complies with relevant state or federal legislation or industry-recognized safety frameworks.
New breach notification necessities (HB 5310)
On June 16, 2021, Connecticut Governor Ned Lamont signed HB 5310, An Act Regarding Information Privateness Breaches. HB 5310 Amends Connecticut’s Current Violation Notification Necessities:
- increasing the varieties of private data that will result in notification obligations within the occasion of a breach, to incorporate: (i) tax code; (ii) Private Id Safety Identification Quantity issued by the IRS; (iii) passport quantity, navy identification quantity or different government-issued identification quantity; (iv) biometric information; (v) sure varieties of medical data; (vi) medical insurance identification numbers; and (vii) a username or e-mail handle together with a password or safety query and reply;
- shortening the time to inform a violation to affected Connecticut residents and the Legal professional Basic from 90 days a no later than 60 days post-discovery of the breach; And
- require “prior substitute notification” from people if a enterprise can’t present direct notification inside the 60-day notification deadline. Undertakings should additionally comply with up with direct communication as quickly as attainable to this substitute discover.
By passing the legislation, Connecticut joins quite a lot of different states in increasing the definition of “private data” in its information breach notification statute.
Protected Harbor for Cyber Safety (HB 6607)
On July 6, 2021, Governor Ned Lamont signed HB 6607, a legislation that incentivizes the adoption of cybersecurity requirements for companies.
HB 6607 prevents the Connecticut Superior Courtroom from assessing punitive damages in opposition to a company that has created, maintained and complied with a written cybersecurity program that accommodates administrative, technical and bodily safeguards for the safety of non-public or confidential data and that complies with an industry-recognized cybersecurity framework (as an illustration, the Fee Card Trade Information Safety Normal, the Nationwide Institute of Requirements and Expertise’s Cybersecurity Framework, the knowledge safety requirements of the ISO / IEC 27000 collection).
Protected Harbor additionally applies in circumstances the place the cybersecurity program complies with relevant state or federal safety legal guidelines and laws (as an illustration, the safety necessities of the Well being Insurance coverage Portability and Accountability Act and the Gramm-Leach Bliley Act).
By passing the legislation, Connecticut joins Ohio and Utah because the third state to enact a secure haven statute for cybersecurity.
Supply : www.huntonprivacyblog.com