“…The new Connecticut law prohibits punitive damages being assessed against organizations in the wake of a data breach if they’ve implemented “reasonable” security controls. The law states that the court may not assess such damages if the organization created, maintained and complied with a written cybersecurity program that offers administrative, technical and physical safeguards for protecting personally identifiable information as well as restricted information.

The new state law stipulates that organizations must conform with revisions and amendments to industry-recognized cybersecurity frameworks, laws and regulations within six months after any changes are published.

“Cybersecurity is largely unregulated today; there is no national statutory minimum standard of information security, making it difficult to improve cybersecurity on a wholesale basis,” says Curtis Dukes, executive vice president and general Manager, security best practices, at the Center for Internet Security. “Connecticut’s cybersecurity bill introduces a critical interim step – incentivizing the adoption of cyber best practices … to improve cybersecurity and protect citizen data.”…

Read More: 2 State Cybersecurity, Data Privacy Laws Enacted https://www.govinfosecurity.com/2-state-cybersecurity-data-privacy-laws-enacted-a-17059