Hold the punitive damages: Connecticut is latest to incentivize implementing cybersecurity frameworks

October 1, 2021


The Connecticut law, An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses, creates a “safe harbor” from punitive damages for businesses in tort cases where a data breach stemmed from an alleged failure to implement reasonable cybersecurity controls.  To benefit from the law, the business must have adopted one of six named industry frameworks (plus a seventh where payment card information is involved) or conform with the requirements of one of three federal legal frameworks.  This protection does not apply where “such failure to implement reasonable controls was the result of gross negligence or willful or wanton conduct.”