How does Law Protect Businesses with Cybersecurity Certifications?

July 26, 2022 0 Comments

Connecticut approved Public Act 21-119 on July 6, 2021, to provide a safe refuge for cybersecurity-savvy businesses.

With this new legislation, Connecticut joins Ohio and Utah as the third state in the United States to provide constitutional immunity to firms who use an industry-recognized security architecture.

Connecticut’s statute affects both for-profit and non-profit organizations. Connecticut Governor signed it on July 6, 2021, and it came into force on October 1, 2021. With more states joining the league, it is becoming essential for businesses to hire DFARS consultant Virginia Beach for compliance needs.

What does the new law cover?

Organizations with a documented cybersecurity plan conforming to industry-accepted cybersecurity architecture are protected by Public Act No. 21-119.

With the passage of this law, civil penalties will not be given if a firm is sued for failing to adopt adequate cybersecurity measures, leading to a data breach, provided the company designed, updated, and adhered to a documented cybersecurity program.

Qualified Cybersecurity Structures

Connecticut’s cybersecurity law does not compel businesses to use any particular cybersecurity strategy.

Instead, you may choose the structure that best suits your needs.

Among the qualified cybersecurity frameworks are, the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, NIST SP 800-171, 800-53, 800-53a, CIS Controls, and FedRAMP Security Assessment Framework. 

In conjunction with the frameworks mentioned above, businesses are protected if they comply with any of the accompanying regulations:

Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, Federal Information Security Modernization Act, Health Information Technology for Economic and Clinical Health Act, and Data Security Standard for the Payment Card Industry.

Businesses have six months of release to adhere to the edited version of a guideline or regulatory document.

Information to Protect

Companies must safeguard the following personally identifiable information (PII):

  • Titles
  • Personal identification numbers
  • Identification numbers for taxpayers
  • IRS identification numbers Driver’s license credentials
  • State identification numbers
  • Numbers on passports
  • Identification numbers for military personnel
  • Credit and debit card information
  • Information about financial accounts
  • Medical knowledge
  • Policy numbers for health insurance
  • Biometric data.
  • User names and passcodes
  • Addresses by email

Expect more cybersecurity legislation in the future.

With the increasing number of cybersecurity assaults affecting public and private firms across the country, we may presume to see these kinds of regulations urging businesses to implement cybersecurity safeguards.

New NIST and CMMC compliance standards were recently implemented, affecting all Department of Defense providers.

Commercial firms, like government military contractors, require security knowledge to avoid data loss and secure sensitive information. 

Take a Lifecycle Approach to Security Controls in Cybersecurity.

Companies should consider DFARS cybersecurity as a lifecycle rather than a set of products to be acquired.

Good cyber hygiene entails a combination of technology measures and proper information-management methods.

Using a security management lifecycle approach allows businesses to invest in the proper technologies and processes to protect themselves against cyber attacks.

When it pertains to data security, there is no such thing as a one-size-fits-all solution.

The lifecycle strategy guarantees that you don’t squander money on products you don’t need or buy unnecessary software to fix process difficulties.…