- Connecticut General Assembly unanimously passes bill limiting punitive damages against businesses for data breaches if they can demonstrate that they took adequate steps to provide cybersecurity protections
- Applies to businesses that handle personal or restricted information
- Passage follows several prominent cyberattacks against businesses in the United States
Summary by Dirk Langeveld
In the wake of several prominent cyber attacks against businesses in the United States, the Connecticut General Assembly has unanimously passed a bill seeking to incentivize businesses to adopt adequate cybersecurity measures.
The bill declares that courts shall not impose any punitive damages against a business accused of allowing a data breach by failing to implement “reasonable cybersecurity controls” if the business can demonstrate that it “created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework.”
The measure applies to any business that accesses, maintains, communicates, or processes personal information or restricted information such as Social Security numbers, credit card numbers, passwords, and medical information. Certain exemptions are included; for example, the protection does not apply to failures to implement reasonable cybersecurity controls resulting from “gross negligence or wilful or wanton conduct.”
