Understanding Connecticut’s Cybersecurity Law Changes

As Connecticut businesses keep a watchful eye on their cybersecurity efforts, the state has adopted its own plan to protect employers and consumers. 

“Having a solid incident response plan is really important, so when it happens, you are not scrambling to understand what to do,” said Whittlesey IT security and assurance services manager Chris Wisneski.

Wisneski said phishing attacks are up 666% since the start of the pandemic. 

Wisneski joined Carmody Torrance Sandak & Hennessey partner Sherwin Yoder and CBIA government affairs associate Ashley Zane Nov. 18 to discuss Connecticut’s recent cybersecurity law changes and best practices for businesses.

Wisneski said in 2020 alone, more than 60% of attacks were targeted at small to medium-sized businesses below 100 people. 

‘Not All Bad News‘

Connecticut passed two cybersecurity-related laws during the 2021 legislative session. 

Public Act 59 concerns data privacy breaches, while Public Act 21-119 stands as an incentive for businesses to adopt cybersecurity standards. 

Public Act 59 expands the definition of personal information that companies are required to report if they experience a data breach to more biometric information: 

• Social security number, driver’s license number, payment car, or financial account information 
• Medical information and health insurance policy information 
• Fingerprints, voice and retinal information
• Online account login credentials: username, email address, and password, security question and answer
• Passport, military ID, government ID numbers
• Individual taxpayer ID numbers
• IRS-issued identity protection personal identification numbers

Standards

Under the law, the notification timeline has also shortened, giving a firm 60 days to report a breach. 

Public Act 21-119 protects organizations from punitive damages if a third party sues following a data breach as long as the organization follows an industry-recognized cybersecurity framework.

The National Institute of Standards and Technology is the “golden standard when it comes to what framework your company should use,” said Wisneski. 

There are a number of other plans developed that businesses can adopt:

• Center for Internet Security 
• ISO 27001 (International Organization for Standardization) 
• Federal Risk and Authorization Management Program 
• HIPAA (Healthcare Information Security Rule) 
• GLBA Financial Institutions 
• PCI (Credit Cards)

Building a Plan 

“A cybersecurity plan does not have to be massive,” said Wisneski. 

It should, he said, be scaleable based on the size of a business. 

Still, Wisneski recommends each plan encompass a number of aspects: 

• Information Security Program: An overarching document that outlines everything a business has in place, including the administrative, technical, and physical safeguards.

• Acceptable Use Policy: A dos and don’ts guide for employees.
  
• Disaster Recovery Plan: Spells out a backup plan in case of emergency, like a fire.
  
• Business Continuity Plan: Focuses on safely and securely resuming business amid an interruption.
  
• Security Awareness Program: Phishing campaigns, employee education, etc.
  
• Vendor Management Program: If a company use a vendor or third-party service (i.e., cloud-based), experts recommend performing a risk assessment.
  
• Data Classification Policy: An understanding of all the data a company is working with so in the event of a breach, it is clear what data may be compromised.
  
• Incident Response Plan: A set of IT instructions to help staff detect, respond to, and recover from network security incidents. Many states require this.
  
• Designate a privacy officer who is responsible for overseeing the plan. A company may also have a security officer who is outsourced.

Best Practices 

Cybersecurity professionals say investing in employee education and training is crucial for businesses.

Employees are often the first lines of defense. It is important to educate employees about their responsibilities in protecting data. An employee should not shy away from reporting immediately if they click something questionable. 

“That is definitely the biggest area of attack and weakness and it could be turned into a strength,” said Yoder. 

Companies have found offering quick six to seven minute trainings regularly are more successful than longer 45-minute trainings annually.

Employees are often the first line of defense.

Scheduled phishing attacks should also be done on a monthly basis to familiarize employees with what to look for. 

Multi-factor authentication is also growing in importance and can block more than 90% of phishing attacks, according to Wisneski. 

Depending on the size of the businesses, professionals say firms should have cyber and IT security risk assessments performed annually.

This will also help with risk management and oversight so a company can understand where vulnerabilities are. 

CBIA offers a number of resources to help businesses with cybersecurity efforts, including business assessments and cyber insurance policies.