Gov. Ned Lamont at a ceremonial bill signing (Hugh McQuaid / CTNewsJunkie)

Connecticut companies breached in cyberattacks could be shielded from liability if they’ve adopted adequate security protocols under a new law designed to give businesses an incentive to shore up their digital defenses. 

Gov. Ned Lamont stressed the importance of proactive cybersecurity during a ceremonial bill signing Thursday at a research facility in the University of Connecticut’s Tech Park. Lamont said businesses, governments and utilities were constantly under electronic attack. 

“As our world gets increasingly interconnected, the threat brought by cyber expands exponentially,” Lamont said. “I think about this in layman’s terms and the first thing you gotta do is not let the bad guys into your house.”

Under the new law, companies can qualify for protection from punitive damages if they comply with specific, industry-recognized cybersecurity standards to protect personal or restricted information. The scope of protections required will scale based on factors like the nature of the participating businesses and the sensitivity of the information under their care.

The bill was drafted by the legislature’s Commerce Committee and passed unanimously in the House and Senate in June. 

Business advocates welcomed the policy. Eric Gjede, vice president of government affairs for the Connecticut Business and Industry Association, said his organization surveyed businesses in 2018 and found that nearly 25% reported experiencing data breaches or cyberattacks in the two years prior. Most were small businesses with less than 100 workers, he said. 

Gjede said developing an adequate cybersecurity framework was expensive and “a heavy lift” for small companies with limited resources. 

“This act creates incentives for adopting recognized standards, providing a straightforward return on investment through the prohibition on punitive damages,” he said. 

Jeff Brown, the state chief information security officer, said the new policy will encourage companies to improve their security before their systems are breached.

“That incentivizes the right behavior as opposed to punishing the victims, which tends to be the way things have been done in the past. That kind of behavior needs to change,” Brown said. 

The new law will go into effect on Oct. 1. Lamont also plans to spend $11 million in bonded funding on shoring up Connecticut’s cybersecurity, according to a press release. The State Bond Commission is expected to approve the first $8.2 million when it meets next week.