He sits down with Jason Pufahl, Steve Maresca, and Matt Fusaro to discuss a local government act–Public Act 21-119–that encourages businesses to take on cybersecurity frameworks that may protect them from data breach lawsuits.
The Main Frame Connecticut Public Act 21-119
Listen to this episode on
[00:00:01.210] – Speaker 1This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity with your hosts, Jason Pufahl and Steve Maresca.
[00:00:11.870] – Jason Pufahl
Welcome to CyberSound. I’m your host, Jason Pufahl, joined as always by Steve Maresca and Matt Fusaro. In particular, though, today, we have Sherwin Yoder joining us. He’s a partner with Carmody Law and responsible for the privacy and security practice there. Welcome, Sherwin.
[00:00:28.520] – Sherwin Yoder
Thanks, Jason. Nice to be here.
[00:00:31.530] – Jason Pufahl
Today we’re going to talk I think really specifically about an act in Connecticut, Public Act 21-119, which is a “safe harbor” Act intended to provide some protections for businesses who have adopted specific security standards. Sherwin, I suspect I’m probably not doing a great job introducing that. I don’t know if you want to add some context to that at all or a little bit of background.
[00:00:55.760] – Sherwin Yoder
Sure, I’m happy to. You did a fine job, by the way. I’m not only a guest; I’m a big fan of the CyberSound. I haven’t missed an episode.
[00:01:04.230] – Jason Pufahl
We appreciate that.
[00:01:06.870] – Sherwin Yoder
So, you accurately described the title and the Public Act Number 21-119. And it is an act incentivizing the adoption of cybersecurity frameworks, and we’ll get into what those might be in a second. But Connecticut has taken a piecemeal sectoral approach to encouraging businesses to adopt cybersecurity standards and protect personal information, and protect infrastructure and so forth.
[00:01:34.550] – Sherwin Yoder
Some of the things that they’ve done include data breach notification laws, comprehensive written security programs, or WISPs, required for banks, insurance companies, schools. In here is the first foray into making a generally applicable law to all of business.
[00:01:58.400] – Sherwin Yoder
Instead of laying down a hammer or a stick, they’re putting a carrot in front of business. The carrot is if you adopt one of these recognized cybersecurity frameworks, you’re going to be immune from punitive damages should someone sue you as a business for negligence resulting from a data breach, or a data breach that results from unreasonable security standards.
[00:02:26.930] – Jason Pufahl
And they’re not being explicit about what standards you have to adopt. I know they listed a few in the Act itself, but they’re giving companies the latitude to choose a standard that feels right for them. Is that accurate?
[00:02:42.050] – Sherwin Yoder
That is accurate. So, there’s an enumerated list of recognized frameworks, and there are more frameworks “out there” than what are listed in the statute. But they do list some very solid and popular consensus-driven standards, including those from the National Institute of Standards and Technology, or NIST, as well as the Center for Internet Security, which is also a very influential group and some others that we don’t need to name here.
[00:03:12.690] – Sherwin Yoder
They have different origins and contexts. Some were surrounding infrastructure like the NIST Cybersecurity Framework. Some were surrounding privacy, like the NIST Special Publication 800-53. Whatever the background, many of them are a general application and it’s just a matter of business, with proper counseling and advice figuring out what’s the best framework for them.
[00:03:41.610] – Jason Pufahl
One of the things that jumped out to me when I’ve read through this is—this is optional. Nobody is mandated to follow 21-119. It’s a safe harbor Act. If they adopt a standard, they get certain protections, but they’re not required to do it. Correct?
[00:03:57.400] – Sherwin Yoder
That’s right. It is 100 percent just incentivizing the adoption of a cybersecurity framework. However, I think we’ll get into this, there are good reasons for adopting these that are in the interest of the business itself.
[00:04:13.590] – Jason Pufahl
So, from a protection standpoint, though, do you need to be 100 percent in compliance, let’s say, with that standard? Or is it acceptable to be along a continuum somewhere of adoption of one because it could take a couple of years easy for somebody to actually get full compliance on one of these?
[00:04:33.560] – Jason Pufahl
Do you not get your protections until you’re fully in compliance? Can you demonstrate that, hey, we’re really on our journey and we’ve made some substantive improvements? I’m curious what that looks like.
[00:04:42.750] – Sherwin Yoder
So, obviously in the context of litigation is where that question is going to be hammered out for lack of a better word, and there probably will be a battle of experts. One expert saying they’ve complied and another expert saying that they haven’t complied.
[00:05:00.210] – Sherwin Yoder
But I think the background here is reasonableness, and that’s the general guiding principle, including making sure that the business understands it’s not a one-size-fits-all thing, that there’s certain determination about the scope and appropriateness of the type of program that you adopt. The program that works for UTC is not going to be the same program that works for your local [inaudible 00:05:31] car dealership or something like that.
[00:05:33.570] – Sherwin Yoder
There’s going to be varying levels of requirements, and it’s going to come down to what’s reasonable for the type of information you process, the size of your business, the nature of the data that you process, and so on.
[00:05:47.890] – Speaker 2
Are there appropriateness thresholds or reasonability guidelines that are established in the Act, for example, driven by particular types of data?
[00:05:58.930] – Sherwin Yoder
The Act is not express about the types of data that drive sensitivity, but you can imagine handling a Social Security Number if that’s something you do on a regular basis in your business might be different from just handling a date of birth and a name, and an address, or something like that.
[00:06:19.930] – Sherwin Yoder
So that’s just something that the business is going to have to take into consideration, and obviously, the more sensitive the data, the more attention is going to have to be paid to that.
[00:06:32.020] – Speaker 2
So effectively, getting back to your earlier comment about the battle of experts, the same would apply in terms of whether a control was reasonably implemented at the litigation side of the equation.
[00:06:42.860] – Sherwin Yoder
Yeah, that’s true. Although I want to bring the reins in a little bit on this because the way we’re talking, it seems to be like it’s so subjective. No one’s going to want to sign up for this and that’s just not the case. Reasonableness is not some elusive standard. There’s no “got you” standard there.
[00:07:07.030] – Sherwin Yoder
I think it’s really going to come down to whether you were in good faith adopting a program and complying with it. The statute and the law do not require 100 percent compliance, just reasonable compliance with a good-faith program that your company has tried to implement.
[00:07:32.890] – Jason Pufahl
Actually, I’m really glad that you drew us back a little bit because as we were talking a little bit earlier, one of the things that we look at 2022 is some optimism, is the increased push to mature security programs. We’re seeing it with cyber liability insurance and some of the requirements that they’ve got now to improve security programs.
[00:07:55.100] – Jason Pufahl
I think something like 21-119 is again a step in that right direction of giving people a reason to adopt a security program. We over here at Vancord deal a lot with incident response on that reactive side. I really want to see companies do more earlier to protect themselves and position themselves to reduce risk.
[00:08:15.570] – Jason Pufahl
I think this is a great step that way and I think that concept of reasonableness is exactly what people need to hear. There should be no discouragement for adopting and maturing against the standard.
[00:08:25.220] – Sherwin Yoder
No, that’s right. That’s the trend, and it’s only going to get more. So I think you put your finger on it, Jason. You see it not only in security legislation where legislatures in the state anyway are requiring more and more affirmative security demonstration of security controls.
[00:08:47.310] – Sherwin Yoder
Sometimes even annual attestations, for example, for the Insurance Commissioner, when you were talking about the program of an insurer, or a banking institution has to attest to the Banking Commissioner. And that trend is just going to continue.
[00:09:04.270] – Sherwin Yoder
You mentioned certifications and maturity. You have the new defense contractors’ requirements now, as of last December, over the next five years, those in the defense supply chain are going to have to certify a certain level of compliance in their cybersecurity model and actually get certified.
[00:09:25.520] – Sherwin Yoder
I do think that some sort of certification or rating is going to come down the pike and we see that with security, we see it with privacy, too. You see an increasing number of states passing broader and more comprehensive privacy compliance regimes, in California, now in Virginia, in Colorado. Connecticut probably will have its Consumer Privacy bill back on the legislative agenda this coming session.
[00:09:53.670] – Sherwin Yoder
So, anything that the companies can do now to demonstrate that they are serious about cybersecurity and privacy, it will serve them later. You mentioned insurance, that’s one way. They’ll be more attractive for insurance underwriters who are now tightening their belts and requiring more in terms of applications and questionnaires from potential insureds and just in general.
[00:10:26.150] – Sherwin Yoder
If you’ve got a good program that fits your risk profile, by definition, you are going to be decreasing your risk level and if something bad happens, you’re going to be decreasing the severity of that risk.
[00:10:41.390] – Jason Pufahl
[00:10:42.410] – Speaker 2
So, on that front, the Act mentions the scale and scope of a security program. How would an organization in Connecticut interpret that and determine what’s appropriate for that organization? What guidance, if any, does the legislation provide?
[00:11:03.470] – Sherwin Yoder
It just provides a few general categories or factors to consider of what would be an appropriate scale or scope of your program. So, one thing is size and complexity. How big is the organization? How complex? How many different types of operations and how do those operations interact with one another?
[00:11:26.500] – Sherwin Yoder
What’s the nature and scope of the activities of the business? So is it just manufacturing product, or are you processing lots of personal information? The nature and scope of the activities is important.
[00:11:40.870] – Sherwin Yoder
The sensitivity of the information. I think we mentioned that before that it matters what information you’re processing, whether it’s government contract data, defense data, or personal information of consumers. There’s a whole range of sensitivity levels that the business should map out and keep track of and assess appropriate controls, ratcheting those controls up the more sensitive the data becomes.
[00:12:10.230] – Sherwin Yoder
And then the cost and availability of the tools. The laws don’t require the business to go out and buy the Cadillac of information security tools. It just has to be something that’s reasonable in terms of the revenue of the company, for example, and it’s overhead or whatever all the economic considerations are, and just how available those tools are to that particular company.
[00:12:38.030] – Jason Pufahl
I think it’s fair to say if I were really going to boil this down, it’s better to do something than nothing, anyway. And so, this is really an Act incentivizing people to start down that programmatic security maturity journey and making improvements. I feel like you’re in a better position if you can say we’ve adopted a standard or we’re making progress against it, versus we buried our head in the sand and didn’t do anything.
[00:13:04.730] – Speaker 3
If I’m the business in Connecticut and I feel like we’ve met the standard, I want to be protected by this. What do they have to do?
[00:13:15.110] – Sherwin Yoder
Typically, when clients come to me to ask that question, I’m directing them to do a cybersecurity assessment, number one, just to get a snapshot of how their security posture is and to get some professional advice as to what framework to put in place if they don’t have one already.
[00:13:37.240] – Sherwin Yoder
Some may have them already. We mentioned some of those frameworks that are listed in the statute. Well, what if I’m already regulated by HIPAA, for example, the Health Insurance Portability and Accountability Act, or the high-tech amendments to that?
[00:13:54.630] – Sherwin Yoder
What if I’m regulated by the banking regulations under Gramm-Leach-Bliley, or I’m a credit card merchant and I have to comply with PCI DSS, the Payment Card Industry Data Security Standard. Wish we could get rid of some of those [crosstalk 00:14:10].
[00:14:10.570] – Jason Pufahl
Yeah, you named off plenty already, right?
[00:14:13.430] – Sherwin Yoder
This statute gives you credit for that. So, if you have a good program in place already complying with those regulations, you come into the safe harbor. So, it may be just a question of getting that assessment and making sure you’re documenting your program well enough to get credit should you be called upon down the road to demonstrate that?
[00:14:34.490] – Speaker 2
I think that we find that we have many customers that don’t necessarily fall under any of those requirements explicitly but still want to improve their overall organizational security. We certainly have conversations where customers don’t know what standard is right to choose and whether there are options on that front. What are the common components that are worthy of the most prioritized effort in your opinion?
[00:15:03.670] – Sherwin Yoder
Oh, boy. Well, first of all, let me say that if you don’t have to comply with a particular regulatory framework, it’s not really a legal question as to which cybersecurity framework to choose. That’s why I referred to getting some professional advice on that. That would come from folks like you at Vancord or whoever your technology advisor might be, assuming that they have the correct credentials for that.
[00:15:34.590] – Sherwin Yoder
That’s the place to start in terms of which framework to use in terms of… Are you asking me what shortcomings I see most often in security programs of clients or are you asking something different? I want to make sure I answer your question.
[00:15:54.580] – Speaker 2
I think that’s a reasonable thing to cover, certainly. But, for example, when you talked about mapping out data that an organization needs to protect. I’m certainly immediately thinking about data governance and data classification as immediate tasks that are almost certainly required under most of these frameworks. What are the commonalities?
[00:16:18.310] – Sherwin Yoder
I’ve got you. Yes, thank you for clarifying that. So yes, data mapping and taking an inventory of your systems and where your data resides, and what kind of data you have. That’s definitely the first step and that’s a worthy exercise to go through even without necessarily engaging somebody right away on the outside, assuming you have some folks who can think through those things with you.
[00:16:47.590] – Sherwin Yoder
So yeah, data mapping is critical. That could be as simple as a spreadsheet, making a spreadsheet to identify your systems and what data passes through there. Is it in the cloud? Is it here on-premises? Who has access to it in our organization? You want to make sure you have visibility on your systems and the data that they process and who has access to it. That will serve you for being able to figure out from that point, where are my risks or where to focus my risk analysis?
[00:17:24.120] – Speaker 3
So are there any guidelines in the bill? It seems like a lot of this is going to be based on you being able to prove that you’re meeting these frameworks. How often do they need to do it? Is this something that needs to be done every single year, every six months, every two years? What’s the guidance there?
[00:17:39.970] – Sherwin Yoder
Two things I would say to that. One, there is a built-in deadline, so to speak, or incentive to keep up with the program. The safe harbor goes away if you are not up to within six months of the last amendment to whatever cybersecurity framework that you’re following.
[00:18:03.850] – Sherwin Yoder
So, if there was a change to the NIST Cybersecurity Framework, and that’s the one that you’re keying off of, and you don’t implement that within six months from the publication of that revision to the framework, then you might fall out of compliance with the safe harbor. And that applies to all the frameworks, even HIPAA, if you’re a HIPAA compliant or Gramm-Leach-Bliley, or whatever it might be, PCI DSS. Six months is the key. So that’s pretty aggressive.
[00:18:37.820] – Jason Pufahl
That is aggressive.
[00:18:40.420] – Sherwin Yoder
Yeah. It requires you to stay on top of the publications. So, query how you do that, and then also to be able to be agile enough to get those changes implemented within six months, which can be a challenge.
[00:18:54.410] – Speaker 3
Yeah. I’m just wondering about the documentation for actually testing that stuff. Does that have to be dated back a certain amount or what’s the threshold there? Let’s say I go through a certification with a company like Vancord, and I say, hey, now we’re NIST-certified. If we did that a year ago, are we still covered?
[00:19:17.350] – Sherwin Yoder
So, with NIST, there’s no certification requirement. So, if you adopt a cybersecurity framework that includes attestation or certification, we didn’t mention this one, but for example, the ISO 2700 series, that’s the International Organization for Standardization.
[00:19:39.100] – Sherwin Yoder
That has a cybersecurity and privacy framework which does require a fair amount of assessments in preparation for an audit. Then the audit produces that certification which has to be renewed every X number of years. I don’t know that off the top of my head. The other frameworks don’t really require that.
[00:20:02.990] – Sherwin Yoder
So, it’s a good question. I think it’s really a matter of implementing and maintaining your program in good faith so that if down the road you were called upon to demonstrate either by a regulator or in litigation in a lawsuit, you’d be able to demonstrate at that point in time that, hey, when this bad thing happened, we were within six months of the most recent.
[00:20:34.830] – Jason Pufahl
We’re nearing our time here, but there is something I wanted to touch on briefly—or actually, Sherman—I was going to ask you to touch on a little bit. We really focused this discussion on a Connecticut Act. Frankly, I’m proud to be in a state that actually does something to incentivize adoption of a standard like this.
[00:20:57.330] – Jason Pufahl
But we’re not the only ones. I know, at least, Massachusetts has a Privacy Act. I think that’s not dissimilar, probably a couple of other states. So I’m curious, can you spend a minute or two on other states that have done something similar, or maybe if a business in Connecticut has divisions or something that in other states, are there things that they need to be mindful of relative to that?
[00:21:22.970] – Sherwin Yoder
Certainly. I know of only two other states that are adopting this incentive approach, creating a safe harbor for companies that establish a written cybersecurity framework. One of those recognized frameworks. Those would be Utah and Ohio. But in those States, the law goes a little further than Connecticut’s law.
[00:21:46.680] – Sherwin Yoder
So, in those States, they actually create what’s called an affirmative defense to a data breach lawsuit so that they’re not only protecting businesses against punitive damages, but businesses within the safe harbor actually have an affirmative defense to all damages, basically, to suit. So it’s a very powerful tool.
[00:22:09.930] – Sherwin Yoder
The caveat, of course, with this, including the Connecticut statute, is that we’re talking about negligence. What’s is reasonable or unreasonable. If you have a cyber security framework and you do something unreasonable, like reckless. You waited way too long to take action on something that your framework said to do, you’re not going to get the benefit of the safe harbor there. Those are caveats or carve-outs from the safe harbor would be reckless or gross negligence. That type of language you see in the statute.
[00:22:47.180] – Sherwin Yoder
The other states really don’t have anything like this. There are some states again like California, Massachusetts, you mentioned where they might put down the hammer, so to speak, like requiring businesses to have a written information security program and to have a minimal level of security but it’s not defined off of a cybersecurity framework. So, it’s a little more nebulous, for lack of a better word, and businesses are being told what to do not necessarily how to do it.
[00:23:24.010] – Jason Pufahl
But another good example, at least, of moving in the right direction to encourage people to adopt these standards, which for me, is encouraging. I find myself feeling optimistic that we’ll see some more proactive changes in this space.
[00:23:42.470] – Jason Pufahl
So, I’d like to wrap up I think here quickly. It’s a really interesting opportunity for Connecticut businesses to improve their security program, reduce business risk and maybe some legal risk as well. So, I appreciate you coming on spending some time discussing this. Hopefully, people who’ve listened have a much better understanding of what this thing intends to be and how they can comply with it.
[00:24:14.750] – Jason Pufahl
As always, we ask people to reach out to us on LinkedIn at Vancord or Twitter, @Vancord Security. Sherwin, if we get some inquiries here, I want to have you as a follow-up. Hopefully, you join again and provide some additional clarity if people want to.
[00:24:29.180] – Sherwin Yoder
I’m happy to respond to queries. I don’t ignore emails. People are welcome to email me firstname.lastname@example.org. If you just go to carmodylaw.com, you’ll find the directory there for my contact information as well. I am on LinkedIn, Sherwin Yoder, and I welcome inquiries or questions. Thanks again for having me. It’s fun to talk about this stuff, especially with people who care.
[00:24:59.030] – Jason Pufahl
We appreciate you joining for sure, and actually, honestly, I’m looking forward to finding more opportunities to bring you on because it’s been great and I have no doubt people will get a lot of value out of this. So thanks for joining. I appreciate it, Sherwin.
[00:25:11.210] – Sherwin Yoder
Thank you, guys.
[00:25:12.220] – Jason Pufahl
All right. Matt, Steve, thanks again as always. Thanks, everybody listening. Hopefully, you got some value out of this and we’ll be looking forward to comments going forward. Thanks.
[00:25:24.390] – Speaker 1
Stay vigilant, stay resilient. This has been CyberSound.