Changes in CT’s Data Breach Laws, Cybersecurity Incentives for Businesses, and What You Need to Know About Insurance Coverage and Cybercrime
Cybersecurity breaches and computer crimes against our government and large businesses have made national news headlines for several years. In 2010, cyberattacks were listed for the first time as a top ten threat to global businesses. By 2020, it was number two. As a result of the pandemic, cybercriminals are making a strong play for the number one spot this year. This is partly due to the workforce migrating from home with less controlled security and human vulnerabilities and behaviors.
In addition, sophisticated threat actors are more active and focused on local targets than you might think. A recent statistical survey conducted by one Connecticut news outlet reports that forty percent of Connecticut businesses have reported some breach and resulting monetary harm in the last three years resulting from data encryption for ransom, intercepted wire transfers, and other fraud.
In response to the increase in cybercrime, the state of Connecticut has updated and strengthened its Data Breach Notification Law. It also recently passed a law incentivizing the adoption of cybersecurity standards for businesses. This blog post summarizes these two new laws and provides information and recommendations from Attorney Michael Kopsick’s recent webinar on cybersecurity and business insurance coverage.
Public Act 21-59: An Act Concerning Data Privacy Breaches was signed by Governor Lamont on June 16 and becomes effective October 1, 2021. This law expands the definition of “personal information” from an individual’s first name (or first initial and last name) in combination with a social security number, driver’s license number, state ID card number, credit or debit card number, or a financial account number that also included a security code, access code, or password that would permit access to the financial account. That “personal information” now includes the following additional categories:
- Individual taxpayer ID number (a category for which an organization will now be required to provide 24 months of complimentary identity theft protection services)
- Identity protection personal ID number issued by the IRS
- Passport number, military ID number, or other ID number issued by the government that is commonly used to verify identity
- Medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- Health insurance policy number or subscriber ID number, or any unique identifier used by a health insurer to identify an individual
- Biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image
- Username or electronic mail address in combination with a password or security question and answer that would permit access to an online account
The law also shortens the time a person or business should notify residents and the CT Attorney General after discovery of a security breach from 90 to 60 days. If additional residents are later identified as being part of a breach after 60 days of the discovery, they are required to be notified as promptly as possible.
If the breach concerns an online account and login credentials, notice should be provided, along with direction to promptly change any password and security question and answer, or take other appropriate steps to protect the affected online account and all others for which the resident uses the same username and electronic email address and password or security question and answer. Notice should not be provided via a potentially compromised email account.
Organizations that are already following federal breach notification guidelines under HIPAA (Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health Act) shall be deemed compliant with the revised breach notification law, as long as they still notify the Connecticut Attorney General’s Office at the same time and comply with all other nonconflicting Connecticut breach notification requirements.
Additionally, any information connected to an investigation of a security breach shall now be exempt from public disclosure, unless the Attorney General makes such information available to third parties as part of the investigation.
Public Act 21-119: An Act Incentivizing the Adoption of Cybersecurity Standards for Business, signed on July 6, 2021, is intended to provide motivation to businesses to increase their cybersecurity plans by creating, maintaining, and complying with an approved written cybersecurity program. The program must contain administrative, technical, and physical safeguards for the protection of personal or restricted information and must conform to an industry-recognized cybersecurity framework. Businesses that adopt these best practices into their cybersecurity programs will be shielded from legal liability in the event their customers’ data is exposed in a cyberattack. In other words, a company sued as a result of a cyberattack in Connecticut courts could escape punitive damages if it proves its practices meet the standards the law prescribes.
The frameworks recognized by the cybersecurity community and approved for this legislation include the current version of or any combination of the current versions of:
- The “Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology;
- The National Institute of Standards and Technology’s special publication 800-171;
- The National Institute of Standards and Technology’s special publications 800-53 and 800-53a;
- The Federal Risk and Management Program’s “Fed RAMP Security Assessment Framework”;
- The Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense”; or
- The “ISO/IEC 27000-series” information security standards published by the International Organization for Standardization and the International Electrotechnical Commission.
The law, which takes effect on October 1, 2021, requires business to keep their plans up to date in order to maintain immunity against damages by amending their programs within six months of a revision to a recognized framework.
Business Insurance Coverage and Cybercrime
For years now, commercial insurance brokers have been suggesting riders and addendums to business insurance policies to help mitigate the risks from breaches and computer crimes. While insurance coverage is an excellent idea, you should know what is required of you to obtain such insurance, ask questions of agents regarding the scope of coverage, and learn what to do in the event of a claim.
Assuming you wish to obtain insurance protection and have analyzed for needs and the attendant cost/benefit, the next question involves what coverages are available. Typically, cybersecurity policies address these types of “incidents”:
- Network shutdowns due to encryption or other breach
- Data breaches
- Financial frauds
In the event of such an incident, subject to certain policy limits and exclusions, the insurance will cover risks/losses associated with:
- Privacy revelations
- Security breaches related to data (financial and personal)
- Operational loss due to denials of access, data encryption for ransom, etc.
- Ransom payments
- System analysis and restoration
Policy coverage provided is through five distinct insuring agreements:
1. Security (malware, ransomware, data breach) coverage, which includes:
- Legal expenses
- IT forensics
- Negotiation and payment of ransom
- Breach notification to customers/clients/employees (more detailed below)
- Public relations
- System restoration
2. Privacy (customer/employee information is accessed/stolen) coverage, which includes:
- Defense of third-party costs/claims, including regulatory investigations
- Credit monitoring
3. Business Interruption (security failure or breach that stops operation) coverage, which includes:
- Lost profits
- Fixed expenses
4. Media liability (intellectual property right infringement, generally) coverage, which includes claims by and against third parties
5. Errors and Omissions coverage, which includes claims related to negligence in the performance or the failure to perform services
What is not covered by cybersecurity crime policies includes future profits, cost of tech/security upgrades, and loss of value in stolen intellectual property.
The real additional value of coverage is incident response, which includes:
- The appointment of a breach coach to provide legal analysis and claim guidance
- Forensic and restoration resources
- Crisis management, including public relations and communications management
- Credit monitoring
Applying for Coverage
When considering the type and scope of coverage(s), you should evaluate the potential impact of a breach not only on your business but also, potentially, on your clients. Could a breach access client data, including tax returns, social security numbers, or bank account numbers? If so, both state and federal law may obligate you to provide notice to such clients in the event of a breach, and even provide credit monitoring for a period of time thereafter. This can impact you financially and jeopardize future client relations. Could a potential breach grind your business operations to a halt? If so, consideration of business interruption insurance is critical. Does the coverage include paying for ransom and restoration costs to recreate data and file servers? Are those costs paid directly by the carrier or by you subject to the carrier’s subsequent reimbursement? If the latter, are you financially prepared to deal with such expenses pending receipt of your insurance proceeds? Are the costs of a breach coach and other restoration and forensic services fully covered under your policy?
The application for cyber insurance first requires a thorough evaluation of your internal IT security protocols as the underwriting for such insurance and attendant premium costs factor in your current level of preparedness and protection. Questions will be asked regarding offsite remote access, the integrity of firewalls, and the means and location of data storage and backup. It is recommended that before applying for insurance you consult with an IT professional about the current state of your computer security and know what is recommended and appropriate for a business of your size and nature. The process will encourage you to create an incident response protocol, designate appropriate-skilled employees certain tasks in the event of a breach, and cause you to evaluate employee computer use.