2 State Cybersecurity, Data Privacy Laws Enacted in Connecticut and Colorado
2 State Cybersecurity, Data Privacy Laws Enacted
Connecticut Law Provides Security Incentives; Colorado Measure Addresses Consumers' Privacy
Dan Gunderman (dangun127) • July 13, 2021
Credit Eligible
2 State Cybersecurity, Data Privacy Laws Enacted
Connecticut capitol building in Hartford (Source: Wiki Commons)
Two states have recently taken steps to bolster cybersecurity and data privacy protections.
See Also: Live Panel | Zero Trusts Given- Harnessing the Value of the Strategy
Connecticut has enacted a law designed to give certain legal protections to businesses that adhere to cybersecurity frameworks. And a new data privacy law in Colorado allows individuals to opt out of data collection.
Connecticut Gov. Ned Lamont signed the Cybersecurity Standards Act on July 2, joining Ohio and Utah in adopting an incentive-based approach for enterprise cybersecurity implementation. The law goes into effect Oct. 1.
The Colorado Privacy Act, signed into law by Gov. Jared Polis on Wednesday, grants residents the right to access, correct and delete personal data held by organizations. When the law goes into effect July 1, 2023, state residents will also be able to opt out of the sale of their information and the processing of their personal data for targeted advertising. Colorado joins California and Virginia as the only states with comprehensive privacy measures.
Safe Harbor Protection
The new Connecticut law prohibits punitive damages being assessed against organizations in the wake of a data breach if they've implemented "reasonable" security controls. The law states that the court may not assess such damages if the organization created, maintained and complied with a written cybersecurity program that offers administrative, technical and physical safeguards for protecting personally identifiable information as well as restricted information.
The new state law stipulates that organizations must conform with revisions and amendments to industry-recognized cybersecurity frameworks, laws and regulations within six months after any changes are published.
"Cybersecurity is largely unregulated today; there is no national statutory minimum standard of information security, making it difficult to improve cybersecurity on a wholesale basis," says Curtis Dukes, executive vice president and general manager, security best practices, at the Center for Internet Security. "Connecticut's cybersecurity bill introduces a critical interim step - incentivizing the adoption of cyber best practices … to improve cybersecurity and protect citizen data."
NIST, FedRAMP and More
Legal protections provided under the new law hinge upon compliance with one of these frameworks:
Connecticut Law Provides Security Incentives; Colorado Measure Addresses Consumers' Privacy
Dan Gunderman (dangun127) • July 13, 2021
Credit Eligible
2 State Cybersecurity, Data Privacy Laws Enacted
Connecticut capitol building in Hartford (Source: Wiki Commons)
Two states have recently taken steps to bolster cybersecurity and data privacy protections.
See Also: Live Panel | Zero Trusts Given- Harnessing the Value of the Strategy
Connecticut has enacted a law designed to give certain legal protections to businesses that adhere to cybersecurity frameworks. And a new data privacy law in Colorado allows individuals to opt out of data collection.
Connecticut Gov. Ned Lamont signed the Cybersecurity Standards Act on July 2, joining Ohio and Utah in adopting an incentive-based approach for enterprise cybersecurity implementation. The law goes into effect Oct. 1.
The Colorado Privacy Act, signed into law by Gov. Jared Polis on Wednesday, grants residents the right to access, correct and delete personal data held by organizations. When the law goes into effect July 1, 2023, state residents will also be able to opt out of the sale of their information and the processing of their personal data for targeted advertising. Colorado joins California and Virginia as the only states with comprehensive privacy measures.
Safe Harbor Protection
The new Connecticut law prohibits punitive damages being assessed against organizations in the wake of a data breach if they've implemented "reasonable" security controls. The law states that the court may not assess such damages if the organization created, maintained and complied with a written cybersecurity program that offers administrative, technical and physical safeguards for protecting personally identifiable information as well as restricted information.
The new state law stipulates that organizations must conform with revisions and amendments to industry-recognized cybersecurity frameworks, laws and regulations within six months after any changes are published.
"Cybersecurity is largely unregulated today; there is no national statutory minimum standard of information security, making it difficult to improve cybersecurity on a wholesale basis," says Curtis Dukes, executive vice president and general manager, security best practices, at the Center for Internet Security. "Connecticut's cybersecurity bill introduces a critical interim step - incentivizing the adoption of cyber best practices … to improve cybersecurity and protect citizen data."
NIST, FedRAMP and More
Legal protections provided under the new law hinge upon compliance with one of these frameworks:
