As of October 1, 2021, Connecticut becomes the third state with a data breach litigation “safe harbor” law with Public Act No. 21-119. Following the lead of Utah and Ohio, Connecticut will now prohibit in data event litigations where (1) the plaintiff asserts common law tort claims and (2) alleges that a defendants “failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information” the assessment of punitive damages against a “covered entity”. [Note: “covered entity” as defined under the Connecticut law is “a business that accesses, maintains, communicates or processes personal information or restricted information in or through one or more systems, networks or services located in or outside this state”].
However, this is only if the “covered entity” “created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework” as additionally specified in Public Act No. 21-119, among other requirements. Additionally, the limitation on punitive damages does not apply if the defendant’s conduct amounted to gross negligence or willful or wanton conduct under Connecticut law.
In the absence of federal privacy legislation, more and more states will continue to take matters into their own hands, with diverging results—including as seen here in regards to cybersecurity litigation. For more on these developments as they occur, stay tuned. CPW will be there to keep you in the loop.