Issue link: https://nebusinessmedia.uberflip.com/i/1427549
25 HARTFORDBUSINESS.COM | NOVEMBER 15, 2021 FOCUS: Cybersecurity By Zachary Vasile zvasile@hartfordbusiness.com C ompanies across Connecticut are working to get their cybersecurity houses in order following the passage of a state law offering certain legal protections to businesses in the event of a data breach. The law, signed by Gov. Ned Lamont in July and effective as of Oct. 1, bars state superior courts from assessing punitive damages against businesses in tort-based data breach cases as long as the business in question had adopted and adhered to a cybersecurity program based in an industry-recognized cybersecurity framework. Business entities looking to qualify can pick from among several standards based on their size, industry, internal complexity and sensitivity, including plans developed by the National Institute of Standards and Technology, Federal Risk and Management Program, and Center of Internet Security, among others. Lamont and other state officials After year of high-profile hacks, companies rushing to get in compliance with CT's new cyber shield law have framed the legislation as a way to attract businesses to Connecticut and limit the financial exposure of companies that make a good-faith effort to protect their data at a time when sophisticated cyber attacks are targeting businesses in particularly sensitive sectors, such as energy, food and consumer electronics. And it appears many firms are now looking to take advantage of the protection it affords. "Over the last 60 days we've had quite a few people reach out looking to bring themselves up to par on this," said Chris Wisneski, an IT security and assurance services manager at the Hartford office of accounting and advisory firm Whittlesey. "There's been a big uptick in interest. And it's coming from all industries, not just small businesses. It's across the board." While each framework will have its own requirements, Wisneski said there are some basics that would be folded into any comprehensive cybersecurity strategy, including multi-factor authentication, implementation of security awareness programs, which train employees in how to recognize phishing campaigns and other threats, and development of an incident response plan for intrusions or service interruptions. Companies will also likely have to get tighter control over personal identifiable information, he noted. The law defines personal identifiable information as not only basic identifiers such as Social Security or credit card numbers but biometric data, including fingerprints, voice prints and retina and iris images. A rush to get in compliance with these standards — not impossibly rigorous but not always intuitive or easily understandable to those outside the tech world — has sent many firms looking for consultants who can help them through the process, including those at Whittlesey. "A lot of them have been reaching out to cybersecurity professionals," Wisneski said. "They just don't have the time and capability to do it on their own, and so they go to a third party." 'Just good public policy' In general, those who have been following the development of the cyber shield proposal over the last several months give the finished law high marks. "It's a great incentive," said Linn Freedman, an attorney who chairs the data privacy and cybersecurity team at Hartford law firm Robinson+Cole. "It's just good public policy to have a law in place that encourages companies to put cybersecurity measures in place. And it gives these companies something they can rely on — that if they take these steps, they can reduce their risk." The law could be especially helpful to small- and medium- Chris Wisneski Linn Freedman Continued on page 27 PHOTO | PIXABAY