The Middletown Press (Middletown, CT)
State hands partial protection to businesses for data hacks
Under a new law that takes effect in October, Connecticut businesses are getting a shield against any punitive damages customers or business partners might seek in court as a result of identity theft or other disruptions from an information system intrusion — but only if they can demonstrate they have cybersecurity countermeasures in place.
IT security gained new urgency this year after a succession of high-profile “ransomware” attacks, in which hackers walled off systems for millions of dollars in ransoms in exchange for resumed access. The Biden administration announced recovery of $4.4 million in bitcoin paid to a crime ring called DarkSide, which had infiltrated systems that control the Colonial Pipeline which funnels fuel as far as New York from the Gulf Coast.
Connecticut is pumping more than $11 million in additional funding to strengthen defenses for state agencies, including for older computer systems that Gov. Ned Lamont wants moved to a cloud infrastructure, allowing for better security, backup, remote access and services to state residents and businesses.
“We are under attack every day,” Lamont said last week at the University of Connecticut in Storrs, announcing the new law.
“Cyber criminals, wherever they may be, they’re knocking on all our doors
trying to find that open window ... and they’re doing it faster and faster.”
Of more than 28,400 instances of fraud reported last year to the Federal Trade Commission by Connecticut residents and businesses, about 2 percent involved data breaches or cyber threats, or approaching 600 in all. During the COVID-19 pandemic last year, Griffin Hospital in Derby was forced to suspend its website after a ransomware attack against a company that managed its website on an outsourced basis.
A state Department of Administrative Services spokesperson said DAS is aware of four cyber attacks against state agencies in the past five years, all involving “a handful of machines” and with no data lost and no sums paid as ransom. The state has yet to keep any log of cyber attacks on municipal systems.
In March 2020, the Lamont administration hired a chief information security officer named Jeff Brown who held a similar role in the Wilton office of financial giant AIG, and earlier career stops including GE Capital in Norwalk, BNY Mellon, Citigroup and Goldman Sachs.
“This (law) incentivizes the right behavior, as opposed to punishing the victims, which tends to be the way that things have been done in the past,” Brown said at UConn Storrs. “With digital government, we will be taking a lot of steps to make sure that that footprint stays safe.”
The new law provides a shield against punitive damages if companies can show they had “administrative, technical and physical safeguards” in place, presumably to include updated software; ongoing training on the risks, prevention and consequences of breaches; and operating procedures to reduce the odds of passwords or devices being stolen.
The law does not spare organizations the responsibility of informing customers of any breaches. After Equifax waited several weeks in 2017 to inform the public of a massive hack of its credit monitoring data bases, the company agreed to pay nearly $5 million to Connecticut residents who were affected.
Connecticut is home to two major companies providing cybersecurity services: Datto in Norwalk, which offers data backup and security to small businesses through independent vendors that manage back-end systems on their behalf, and Deloitte, which has a data security consulting division in Stamford.
Several more have niche specialties, including Danbury-based Owl Cyber Defense, whose customers include the U.S. Department of Defense; and Zorus in Monroe, founded by a former Datto employee with a security suite for cloud-based systems.
In less than three months this spring, Datto doubled the number of “end point” systems protected by a ransomware detection tool it offers to about 500,000, according to CEO Tim Weller.
“The headlines you and I read are sort of scary — and that’s being processed by (businesses) as an increased willingness to pay some money for security, beyond maybe the antivirus (software) they’ve had in there for 15 years,” Weller said in May. “That’s absolutely rippling through . ... If you can’t protect your (business), all the rest of the creature comforts and Zoom conference calls or whatever solutions you are providing start to not matter.”
Mark Raymond is Connecticut’s chief information officer in charge of all data systems, having held the post a decade after spending the entirety of his earlier career with the IT consultancy Accenture. Josh Geballe, chief operating officer in the Lamont administration, worked previously for IBM.
“As we emerge from this pandemic, there’s a couple of things that are clear — one is that the (cybersecurity) expectations on behalf of our citizens and businesses have changed,” Raymond said last week at UConn. “The cybersecurity landscape has also changed very dramatically ... both in the frequency and scale of events that we are all too familiar with.”