2 State Cybersecurity, Data Privacy Laws EnactedConnecticut Law Provides Security Incentives; Colorado Measure Addresses Consumers' Privacy
Two states have recently taken steps to bolster cybersecurity and data privacy protections.
Connecticut has enacted a law designed to give certain legal protections to businesses that adhere to cybersecurity frameworks. And a new data privacy law in Colorado allows individuals to opt out of data collection.
Connecticut Gov. Ned Lamont signed the Cybersecurity Standards Act on July 2, joining Ohio and Utah in adopting an incentive-based approach for enterprise cybersecurity implementation. The law goes into effect Oct. 1.
The Colorado Privacy Act, signed into law by Gov. Jared Polis on Wednesday, grants residents the right to access, correct and delete personal data held by organizations. When the law goes into effect July 1, 2023, state residents will also be able to opt out of the sale of their information and the processing of their personal data for targeted advertising. Colorado joins California and Virginia as the only states with comprehensive privacy measures.
Safe Harbor Protection
The new Connecticut law prohibits punitive damages being assessed against organizations in the wake of a data breach if they've implemented "reasonable" security controls. The law states that the court may not assess such damages if the organization created, maintained and complied with a written cybersecurity program that offers administrative, technical and physical safeguards for protecting personally identifiable information as well as restricted information.
The new state law stipulates that organizations must conform with revisions and amendments to industry-recognized cybersecurity frameworks, laws and regulations within six months after any changes are published.
"Cybersecurity is largely unregulated today; there is no national statutory minimum standard of information security, making it difficult to improve cybersecurity on a wholesale basis," says Curtis Dukes, executive vice president and general manager, security best practices, at the Center for Internet Security. "Connecticut's cybersecurity bill introduces a critical interim step - incentivizing the adoption of cyber best practices … to improve cybersecurity and protect citizen data."
NIST, FedRAMP and More
Legal protections provided under the new law hinge upon compliance with one of these frameworks:
- Framework for Improving Critical Infrastructure Cybersecurity from the National Institute for Standards and Technology;
- NIST special publications 800-171 or 800-53 and 800-53a;
- Federal Risk and Authorization Management Program, or FedRAMP, Security Assessment Framework;
- Center for Internet Security controls;
- ISO 27000 series;
- Payment Card Industry Data Security Standards, or PCI-DSS.
The legal protections also are applicable if an organization conforms to these federal laws:
- Security requirements of the HIPAA or HITECH acts that govern the healthcare sector;
- Title V of the Gramm-Leach-Bliley Act;
- Federal Information Security Modernization Act.
"It is critically important to do a better job of protecting businesses and consumers against cyberattacks," says state Rep. Caroline Simmons, who introduced the bill. "In Connecticut, we took a step to accomplish this voluntarily without regulation by incentivizing organizations to adopt cyber best practices."
Sadia Mirza, associate at the law firm Troutman Pepper, says Connecticut's cybersecurity bill "incentivizes organizations to implement reasonable security procedures." But regulators may find it challenging to determine exactly what constitutes a "reasonable" security measure.
Commenting on the law, Rich Santalesa, founder, The Sm@rtedgeLaw Group, notes: "One concern I have is that this act, along with many other recent, similar state acts - are silent as to any express nod to including a constitutional jurisdictional hook. It makes no reference to personal data of Connecticut residents, nor that the 'covered entities' actually be doing business in Connecticut.
"This means that this and other similar laws could ultimately be challenged on due process grounds … if they're broadly enforced."
Colorado's Data Privacy Law
Meanwhile, the new Colorado data privacy law is the latest in a series of state initiatives designed to help protect privacy.
For example, Virginia recently enacted the Consumer Data Protection Act, and the California Consumer Privacy Act took effect in January 2020 (see: Privacy Legislation Progresses in 5 More States).
The Colorado law applies to data "controllers" that conduct business in the state or produce or deliver products/services to residents and control/process the personal data of at least 100,000 consumers per year. It's also applicable to controllers that derive revenue from the sale of personal data and process/control the information of more than 25,000 consumers.
Similarities to GDPR
The measure borrows certain provisions from the European Union's General Data Protection Regulation, or GDPR. These include requiring data protection assessments and imposing obligations on data processors.
The Colorado law provides consumers with the right to:
- Access their personal data;
- Correct inaccuracies in the data or delete it;
- Obtain a usable format of the data;
- Opt out of the processing of personal data for the purposes of targeted advertising and the sale of the data, including a universal, one-click opt-out option;
- Appeal a business's denial to take action.
The maximum penalty for each violation of the Colorado law is $20,000, compared with $7,500 under the Virginia law.
"Any time we have multiple states legislating in a particular area, we will see differences that raise compliance challenges," says Marian A. Waldmann Agarwal of the law firm Morrison & Foerster.
But the new state privacy laws will encourage organizations to look at their security compliance postures "holistically," says Troutman Pepper's Mirza.
And if more states enact privacy measures, that could create momentum for adoption of a federal privacy law. So far, numerous efforts to enact such a law have failed.