What Do Cybersecurity Laws like Connecticut HB 6607 Mean For Your Business?
Recently, Connecticut has become the third state to incentivize best practices in cybersecurity for businesses with HB 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses”.
This new law prohibits the Superior Court of Connecticut from assessing punitive damages against an organization that implements reasonable cybersecurity controls, such as the NIST Cybersecurity Framework or CIS Critical Security Controls.
Essentially, as long as the cybersecurity approach utilized by a business is up to industry standards and considered reasonable in its capacity as a security platform, then neither the cybersecurity firm nor the businesses utilizing their services can be held legally liable in the case of a damaging cyberattack that exposes PII or other sensitive information.
This law, along with federal laws under discussion, highlight that C-Level Executives and Boards of Directors need to be as concerned with cyber risk as they are traditionally with fiscal risk. The stakes are just as high and proper approaches to risk mitigation are required to maintain business solvency.
So if your business is located in Connecticut, Ohio, or Utah (or if you want to proactively follow best practices to help protect personal data and shield your company from legal harm), what steps should you be taking?
1. Assess Your Current Cybersecurity Security Posture Against the NIST or CIS Frameworks
Both the NIST and CIS frameworks provide valuable direction to an organization’s overall approach to assessing and improving its cybersecurity posture. Beginning with the identification of vital assets in need of robust protection, these frameworks serve as actionable guides to enhancing the defense of that data & continually evolving protocols as more information becomes available. These frameworks lay the ground for organizations to begin by implementing essential security services and further implement more full-spectrum advanced engineering coverage.
2. Prioritize Solutions and Services that Help Comply with the Framework
The CIS framework takes a priority-based approach with regards to security protocol, whereas NIST is considered to focus more heavily on assessing and reducing overall risk. Whichever framework you choose for your organization, prioritizing and protecting your most valuable assets first is the goal. Complying with your chosen framework may include implementing a NextGen firewall, end-user workstation security, or advanced patching services. Thrive offers these services unbundled to enable the creation of a custom solution tailored to the needs of each client.
3. Create a Plan to Stay Up to Date as Frameworks Evolve
To help keep organizations protected, the CIS and NIST frameworks are continually updated, which is reflected in HB 6607. Organizations have six months from when the changes are published to re-comply with the frameworks to maintain compliance under the law.
Perhaps one of the biggest benefits of working with a security-first MSP is that their team of Certified Information Systems Security Professionals (CISSPs) can focus on staying up-to-date on the latest threats and breaches while you focus on your organization’s operations. In an ever-changing technology landscape, keeping up with best practices can be a headache. But no matter what approach you take, ongoing testing, validation, management, and reporting are key to its effectiveness.
By financially incentivizing adherence to well-established frameworks, these laws make cybersecurity a C-level, and even board-level, area of concern. They help establish clear targets for companies, which is critical in an era of non-stop marketing hype around new technologies and the constant news cycle around the latest attacks and bad actors. Plus, these laws should ultimately help safeguard all of our data, making criminal actions less of a moneymaker.
If you’d like to talk with a Thrive cybersecurity expert about how to navigate laws like Connecticut HB 6607, please contact us today and request a free assessment.