Praise for state’s cybersecurity efforts
As a small business owner here in Connecticut, it is not often that I have the opportunity to praise our politicians. Far too often, the legislatures and regulators of the federal, state, and local governments send us nonsensical and complex burdens on our businesses. And far too often we ignore them because we cannot understand them or are unaware. But I will give credit to Gov. Ned Lamont and the Legislature because they have over the past 12 months put in place laws that help protect us from the ever-growing threat of cybercrime.
According to the National Cyber Security Alliance, 60 percent of small businesses fail within six months after a ransomware attack. And in a report by ransomware recovery specialists Coveware, a “tactical shift” has been introduced by many ransomware gangs, which includes a “deliberate attempt to extort companies that are large enough to pay a ‘big game’ ransom amount but small enough to keep attack operating costs and resulting media and Law Enforcement attention low.” The report states further that 82 percent of attacks that took place in 2021 impacted organizations with less than one thousand employees, and roughly 44 percent of attacks on companies with fewer than 100 employees. It is extremely critical that small businesses protect themselves against ransomware, and kudos to our state politicians for recognizing the threat.
Effective on October 2021, the Connecticut Legislature expanded the reach of the data breach notification statute with PA 21-59, which required all businesses to notify victims of a data breach. The new law offers a safe harbor against certain penalties if they have cybersecurity programs in place that can demonstrate that they conformed to one of the outlined “industry-recognized” cybersecurity frameworks listed in the statute.
Further, Connecticut just joined California, Colorado, Utah, and Virginia in passing a comprehensive privacy law. The Connecticut Data Privacy Act (CTDPA) goes into effect July 1, 2023, at the same time as Colorado’s very similar law. Like other states, Connecticut provides consumers with the right to access, correction, portability, and deletion. It also gives consumers the right to opt-out of processing data for targeted advertising, sales, and profiling. Strict enforcement will not take place for some time, however, businesses must begin preparing now to avoid expensive and potentially existential damage.
As the old saying goes, ignorance of the law is no excuse for non-compliance. As cybercrime grows at double-digit rates because the advantage is always with the attacker, Connecticut businesses must be ever-vigilant. According to the new laws, businesses here in Connecticut must now consider cyber risk along with the various other traditional business risks, or ignore it at their peril. And while I personally would prefer for businesses to first act in their own interests, I must give credit to our state government for bringing the force of law to protect us all from this growing and complex threat.