The state of Connecticut has become the third state to incentivize Cybersecurity and its control on businesses and practices in the state. The governor, Ned Lamont signed the HB6607; "An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses." The bill was recommended by Representative member, Caroline Simmons and it forbids the superior court passing out severe actions to companies and organisations that implements proper cyber security which includes quality frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NISTCSF) and the Center for Internet Security (CIS).
The bill further states that in any case of a data breach of personal and limited information, the court may not assess damages if the organisation has created, maintained and adhered to a written cybersecurity program that contains technical, physical and administrative defence for protecting restricted information. "It is critically important to do a better job of protecting businesses and consumers against cyber-attacks. In Connecticut, we took a step to accomplish this voluntarily without regulation by incentivizing organizations to adopt cyber best practices, like the NIST framework and the CIS Critical Security Controls." Said Representative Simmons.
Connecticut is the third state after Utah and Ohio to ensure efforts are put in place to adopt an incentive-based approach for different businesses. It is also to implement the best cybersecurity programs for the organisations. "Cybersecurity is largely unregulated today; there is no national statutory minimum standard of information security, making it difficult to improve cybersecurity on a wholesale basis," said CIS Executive Vice President & General Manager, Security Best Practices, Curtis Dukes. "Connecticut's cybersecurity bill introduces a critical interim step: incentivizing the adoption of cyber best practices like the CIS Controls, to improve cybersecurity and protect citizen data."
The Center for Internet security controls are a set of recognised rules and actions put in place to form the foundation of basic cyber security and cyber defence in its totality. Using the CIS Controls gives an Intricate and adequate security value against a wide range of possible hacks and attacks. Different analysis shows that activating the CIS Controls lessens the majority of cyber attacks when cross checked against various attack patterns in the ATT&CK framework published by the MITRE Corporation.
More specifically, the CIS Controls eases:
- 83% of all attack techniques found in the MITRE ATT&CK Framework.
- 90% of ransomware ATT&CK Techniques.
- 80% of targeted intrusion Techniques.
- 100% of instances of web-application hacking Techniques.
Also, Implementation Group 1(IG1) which a subset of the Controls which is basic cyber force is effective in reducing:
- 62% of all Techniques in the MITRE ATT&CK model.
- 79% of malware ATT&CK Techniques.
- 100% of the Insider Privilege and Misuse ATT&CK Techniques.
The act also includes three new changes to the data breach law which are:
- The time businesses have to notify affected Connecticut residents and the Office of the Attorney General of a data breach has been shortened from 90 days to no later than 60 days after discovery of the breach;
- If notice cannot be effected within the new 60-day window, a novel and significant amendment requires companies to provide preliminary substitute notice to individuals, and follow up with direct notice as soon as possible; and
- The law also significantly expands the definition of "personal information" that may trigger notification obligations to include an IRS identity protection personal identification number, certain medical information, biometric information, a username or email address in combination with a password or security question and answer (regardless of whether or not the individual's name is accessed in combination with it), and a number of other data elements commonly included in other states' data breach notice laws.
With this bill in place, organizations would have to conform with revisions and possible amendments to already functioning and recognized cybersecurity framework laws and regulations within six months after the revised document has been published. The bill would become law on the 1st of October, 2021.
This is original content from NewsBreak’s Creator Program. Join today to publish and share your own content.