TMCnet News
Connecticut Becomes Third State to Incentivize Cybersecurity Best Practices for BusinessesHARTFORD, Conn., July 12, 2021 /PRNewswire/ -- Connecticut Governor, Ned Lamont signed HB 6607, "An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses" into law last week. The bill, introduced by Representative Caroline Simmons, prohibits the Superior Court from assessing punitive damages against an organization that implements reasonable cybersecurity controls, including industry recognized cybersecurity frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Center for Internet Security (CIS) Critical Security Controls (CIS Controls®). The Connecticut bill states that in the result of a data breach of personal and restricted information, the court may not assess punitive damages if the organization created, maintained, and complied with a written cybersecurity program containing administrative, technical, and physical safeguards for protecting PII and restricted information. "It is critically important to do a better job of protecting businesses and consumers against cyber-attacks," said Representative Simmons. "In Connecticut, we took a step to accomplish this voluntarily without regulation by incentivizing organizations to adopt cyber best practices, like the NIST framework and the CIS Critical Security Controls." Connecticut joins Ohio and Utah in legislative efforts to adopt an incentive-based approach for businesses to implement cybersecurity best practices. "Cybersecurity is largely unregulated today; there is no national statutory minimum standard of information security, making it difficult to improve cybersecurity on a wholesale basis," said CIS Executive Vice President & General Manager, Security Best Practices, Curtis Dkes. "Connecticut's cybersecurity bill introduces a critical interim step: incentivizing the adoption of cyber best practices like the CIS Controls, to improve cybersecurity and protect citizen data." The CIS Controls are a set of internationally-recognized, prioritized actions that form the foundation of basic cyber hygiene and essential cyber defense. Applying the CIS Controls provides a critical, measurable security value against a wide range of potential attacks. Analysis shows that implementing the CIS Controls mitigates the majority of cyber-attacks when evaluated against attack patterns in the widely referenced ATT&CK framework published by the MITRE Corporation. Specifically, the CIS Controls mitigate:
Further, Implementation Group 1 (IG1), a subset of the Controls that is considered basic cyber hygiene, is effective in mitigating:
Under the bill, organizations have to conform with revisions and amendments to identified industry-recognized cybersecurity frameworks (like the CIS Controls), laws, and regulations within six months after the revised document is published. The bill becomes law on October 1, 2021. About CIS: Media Contact: View original content to download multimedia:https://www.prnewswire.com/news-releases/connecticut-becomes-third-state-to-incentivize-cybersecurity-best-practices-for-businesses-301328677.html SOURCE Center for Internet Security |