2 State cybersecurity, data protection laws enacted
General Data Protection Regulation (GDPR), Governance and Risk Management, HIPAA / HITECH
Connecticut law provides incentives for safety; Colorado Measure addresses consumer privacy
Dan Gunderman (dangun127) •
July 13, 2021
Two states have recently taken steps to strengthen cybersecurity and data privacy protection.
Connecticut has enacted legislation designed to provide certain legal protections for companies that adhere to cybersecurity frameworks. And a new Colorado data privacy law allows individuals to opt out of data collection.
Connecticut Governor Ned Lamont signed the Cybersecurity Standards Act on July 2, joining Ohio and Utah in taking an incentive-based approach to implementing cybersecurity in business. The law comes into force on October 1.
The Colorado Privacy Act, enacted by Governor Jared Polis on Wednesday, grants residents the right to access, correct and delete personal data held by organizations. When the law comes into force on July 1, 2023, state residents will also be able to opt out of the sale of their information and the processing of their personal data for targeted advertising. Colorado joins California and Virginia as the only states with full privacy measures.
Safeguarding the Safe Harbor
Connecticut’s new law prohibits punitive damages from being assessed against organizations for a data breach if they have “reasonable” security controls in place. The law states that the court cannot assess such damages if the organization has created, maintained and adhered to a written cybersecurity program that offers administrative, technical and physical safeguards to protect personally identifiable information as well as restricted information.
The new state law states that organizations must comply with reviews and changes to industry-recognized cybersecurity frameworks, laws and regulations within six months of posting any changes.
“Cyber security is largely unregulated today; there is no national legal minimum standard for information security, which makes it difficult to improve cybersecurity globally, ”said Curtis Dukes, executive vice president and general manager of security best practices at Center for Internet Security. “Connecticut’s cybersecurity bill introduces a critical milestone – pushing for the adoption of cybersecurity best practices… to improve cybersecurity and protect citizen data.”
NIST, FedRAMP and more
The legal protections provided by the new law depend on compliance with one of these frameworks:
Legal protections are also applicable if an organization complies with these federal laws:
“It is extremely important to better protect businesses and consumers against cyber attacks,” said State Representative Caroline Simmons, who introduced the bill. “In Connecticut, we’ve taken a step to accomplish this voluntarily without regulation by pushing organizations to adopt cybersecurity best practices.”
Sadia Mirza, a partner at law firm Troutman Pepper, says Connecticut’s cybersecurity bill “encourages organizations to implement reasonable security procedures.” But regulators may find it difficult to determine exactly what constitutes a “reasonable” safety measure.
Commenting on the law, Rich Santalesa, founder of the Sm @ rtedgeLaw group, notes: “One of the concerns I have is that this law, as well as many other recent and similar state laws, are silent about any explicit sign of it. ‘include constitutional jurisdiction It makes no reference to the personal data of Connecticut residents, nor to the fact that “covered entities” actually do business in Connecticut.
“This means that this law and other similar laws could ultimately be challenged on the basis of due process … if they are widely applied.”
Colorado Data Privacy Act
Meanwhile, Colorado’s new data privacy law is the latest in a series of state initiatives designed to help protect privacy.
For example, Virginia recently enacted the Consumer Data Protection Act and the California Consumer Privacy Act came into effect in January 2020 (see: Privacy laws advance in 5 more states).
Colorado law applies to data “controllers” who operate in the state or produce or provide products / services to residents and control / process the personal data of at least 100,000 consumers per year. It also applies to controllers who derive income from the sale of personal data and process / control the information of more than 25,000 consumers.
Similarities with GDPR
The measure borrows from certain provisions of the European Union’s General Data Protection Regulation, or GDPR. These include requiring data protection assessments and imposing obligations on processors.
Colorado law gives consumers the right to:
- Access their personal data;
- Correct or remove inaccuracies in the data;
- Obtain a usable format of the data;
- Opt out of the processing of personal data for targeted advertising and data sales, including a universal one-click opt-out;
- Appeal a company’s refusal to take action.
The maximum penalty for each violation of Colorado law is $ 20,000, compared to $ 7,500 under Virginia law.
“Anytime more than one state legislates in a particular area, we’ll see differences that raise compliance issues,” says Marian A. Waldmann Agarwal of the Morrison & Foerster law firm.
But the state’s new privacy laws will encourage organizations to look at their security compliance positions “holistically,” says Mirza of Troutman Pepper.
And if more states enact privacy protections, it could create momentum for passing federal privacy law. So far, many efforts to enact such a law have failed.