The market for -171 and CMMC compliance just got much bigger in Connecticut.
On 2021-07-06 Governor Lamont signed Public Act No. 21-119 into law.
To incentivize the adoption of cybersecurity standards for businesses by allowing businesses that adopt certain cybersecurity framework to plead an affirmative defense to any cause of action that alleges that a failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.
You utilize an affirmative defense to get out lawsuits, like a get of of jail card (but really expensive), if you have good cybersecurity.Affirmative defensses act as that make you not liable or at fault during a lawsuit over a data breach. The defense,you has to explain the burden of proof in your answer. In Connecticut you now get a list of cybersecurity frameworks to choose from.
If you can prove to an insurance adjuster, or more likely they will require third party attestation before insuring, your systems stay in compliance you get an affirmative defense.
- Companies can choose from the following frameworks:
- Framework for Improving Critical Infrastructure
- NIST SP-800-171
- NIST SP-800-53
- Center for Internet Security Critical Security Controls for Effective Cyber Defense
- ISO/IEC 27000-series
We tried to get CMMC Level Three included but the bill did not recieve any markup. Our friends in the Capital let us know CMMC Level 3 would count for NIST-SP-800-171 since it subsumes all 110 controls.
The demand for CMMC and -171 or -53 compliance just sky rocketed in Connecticut.