On July 10th, Governor Malloy released the "Connecticut Cybersecurity Strategy" (available for download here). The "Strategy" is a call to arms for state and municipal government, private business, higher education, and law enforcement in the fight against cyber attacks. The 39-page document describes particular cyber threats and their potentially catastrophic impacts on Connecticut business, health, and public safety; it proposes general plans of action for each stakeholder group; and it identifies available resources for plan execution. The Strategy calls for action in seven areas: executive awareness and leadership; literacy; preparation; incident response; recovery and continuity; communication; and verification. Although the Strategy applies to Connecticut business broadly, the document highlights the roles particular to the critical infrastructure, financial services, insurance, and defense industries.
We recommend that business leaders get familiar with the Connecticut Cybersecurity Strategy. It proposes a voluntary collaboration and contains no mandates for business. However, the Strategy expressly declines to rule out future regulatory and legislative action. The Strategy is a first step and presents "a pathway to a more detailed, operational action plan." The State recently took a similar approach with respect to the cybersecurity of public utilities. In that context, it issued a strategy document in 2014, followed by an operational action plan in 2016, which has resulted in annual, confidential reporting on utility company cybersecurity programs.
The Governor's move marks a crescendo of legislative and executive activity that demonstrates Connecticut's commitment to lead the charge in protecting data privacy and promoting cybersecurity. Those activities have included the October 2016 appointment of the State's first Chief Cybersecurity Risk Officer (Arthur House, former Chair of the Public Utilities Regulatory Authority), the March 2015 creation of the Attorney General's Privacy and Data Security Department, updates to the State's computer crimes and data breach notification statutes, and legislation mandating verifiable, written information security programs for state contractors and certain businesses.
For more information on data privacy and security issues, including the details of the Connecticut Cybsersecurity Strategy that may apply to your enterprise, please contact any member of our Data Privacy and Security practice group:
Sherwin M. Yoder, CIPP/US
(203) 784-3107; firstname.lastname@example.org
Jennifer A. Calcagni
(203) 575-2648; email@example.com
Damian K. Gunningsmith
(203) 784-3185; firstname.lastname@example.org