Connecticut Enacts Law Shielding Businesses that Comply with Cybersecurity Frameworks from Punitive Damages in Data Breach Tort Lawsuits
On July 6, 2021, Connecticut Gov. Ned Lamont (D) signed Public Act No. 21-119 into law.
The new law immunizes businesses that comply with specific cybersecurity frameworks from punitive damages in tort actions brought under Connecticut law or in a Connecticut state court alleging that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or information that can be used to determine an individual’s identity or is reasonably linkable to an individual. This statutory immunity applies to all businesses regardless of whether or not they are incorporated or do business in Connecticut and is available to all forms of for-profit and nonprofit business entities including corporations, partnerships, trusts, limited liability companies, joint ventures, associations, individuals, and sole proprietorships.
While the law only immunizes compliant businesses from punitive damages and does not provide any immunity from compensatory and other non-punitive damages, compliance may significantly reduce businesses’ exposure in the event of a data breach, especially given that some courts have become more likely to impose common law duties on businesses that collect and possess personal information to safeguard such information from data breaches.
The specific cybersecurity frameworks enumerated in the law include the Payment Card Industry Data Security Standard (PCIDSS), which major credit card companies require businesses that accept credit card payments to adhere to, the federal National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity and Special Publication 800-171, Special Publications 800-53 and 800-53a, the Federal Risk and Management Program’s FedRAMP Security Assessment Framework; the Center for Internet Security’s Center for Internet Security Critical Security Controls for Effective Cyber Defense; and the ISO/IEC 27000-series.
In addition to availing themselves of this newfound statutory immunity, businesses that work with an interdisciplinary team of experienced legal and technical professionals to ensure compliance with one of the enumerated cybersecurity frameworks can significantly reduce their vulnerability to cyberattacks and data breaches, the frequency of which has increased exponentially in recent years, especially during the COVID-19 Pandemic.
 Conn. Pub. Act. No. 21-119(a)(1).
 See, e.g. In re Rutter’s Data Security Breach Litigation, 511 F.Supp.3d 514 (M.D. Pa. 2021); Dittman v. UMPC, 649 Pa. 496 (Pa. 2018).
 Conn. Pub. Act. No. 21-119(c).