Connecticut Limits Legal Exposure for
Cyber-Prepared Businesses

HB 6607 shields companies from punitive damages in data breach lawsuits — if they maintain a qualifying cybersecurity program.

Effective October 1, 2021 · Conn. Gen. Stat. § 42-901

The Law

What HB 6607 Does for You

If your business suffers a data breach and faces a tort lawsuit in Connecticut, HB 6607 prevents the court from assessing punitive damages against you — as long as you had a qualifying written cybersecurity program in place. The protection applies to tort claims, including:

Negligence

Punitive damages blocked for claims you failed to implement reasonable controls.

Privacy Claims

Punitive damages blocked for claims of unauthorized access to personal or restricted information.

Other Tort Claims

Punitive damages blocked for any tort-based action arising from a data breach.

How to Qualify

What Your Program Needs

The law is deliberately flexible — your program must be proportionate to your business. Four conditions:

1

Written Cybersecurity Program

Administrative, technical, and physical safeguards protecting personal and restricted information.

2

Conformance to a Recognized Framework

Conformance to the current version of one or more of the frameworks listed below.

3

Appropriate Scale & Scope

Proportionate to your size, complexity, data sensitivity, and cost of available tools.

4

Stay Current with Updates

Adopt revisions to your chosen framework within six months of publication.

NIST CSF
NIST 800-171
NIST 800-53
FedRAMP
CIS Controls
ISO 27000
PCI DSS*
HIPAA
GLBA
FISMA
HITECH

* PCI DSS must be used in conjunction with a general framework.

Common Concern

Punitive Damages Matter More Than You Think

Punitive Damages = Your Biggest Financial Risk

In large data breach cases, punitive damages can dwarf compensatory awards. By maintaining a qualifying cybersecurity program, you eliminate the most unpredictable — and often largest — category of financial exposure.

When the protection doesn't apply: the failure to implement reasonable cybersecurity controls was the result of gross negligence or willful or wanton conduct.

How SignumCyber Helps

Every Requirement. One Platform.

HB 6607 Requires How We Help

Written program with safeguards

73-domain assessment + policy creation wizard to build your program

Framework conformance

NIST CSF, ISO 27001, SOC 2, HIPAA & PCI DSS

Appropriate scale & scope

Conditional logic adapts to your size, industry & environment

Stay current within 6 months

Periodic reassessment, implementation tracking & reporting

Protect personal & restricted info

Assesses safeguards, generates policies & guides implementation

Bigger Picture

A Growing National Movement

Seven states and counting. The program you build for Connecticut qualifies you elsewhere too.

Ohio 2018
Utah 2021
Connecticut 2021
Iowa 2023
Tennessee 2024
Oregon 2024
Texas 2025

Ready to Build Your Defense?

See how SignumCyber helps you qualify for safe harbor protection — and turn security into a business advantage.

Request a Demo →

30 minutes. No pressure. Just clarity.

This page is general information about Connecticut's cybersecurity safe harbor law (HB 6607), not legal advice. Consult a qualified attorney for guidance specific to your organization.