KLS Keeping Law Simple Legislation in plain English

Straight-ahead summaries built from the official bill text. We keep the source links front and center and leave the decision up to you.

Back to Connecticut

SB00403 • 2026

AN ACT CONCERNING CYBERSECURITY.

AN ACT CONCERNING CYBERSECURITY.

Healthcare Labor Technology
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Public Safety and Security Committee
Last action
2026-03-05
Official status
Public Hearing 03/10
Effective date
Not listed

Plain English Breakdown

Checked against official source text during the last sync.

Connecticut Cybersecurity Act

This act establishes cybersecurity requirements for businesses, healthcare entities, government contractors, critical infrastructure operators, and financial institutions in Connecticut.

What This Bill Does

  • Creates a cybersecurity framework that businesses must follow to be considered compliant with state laws.
  • Protects employees who report security issues from being fired or punished by their employers.
  • Requires companies to notify the state if they experience a major cyber attack within 72 hours.
  • Establishes minimum cybersecurity safeguards for covered entities, including regular risk assessments and data encryption.
  • Sets up a grant program called 'Connecticut Cybersecurity Seed Fund' to help businesses improve their security systems.
  • Creates a 'bug bounty' program where researchers can find vulnerabilities in state-owned systems without fear of legal consequences.

Who It Names or Affects

  • Businesses, healthcare providers, government contractors, critical infrastructure operators, and financial institutions operating in Connecticut.

Terms To Know

Covered entity
A business or organization that handles sensitive data or operates critical infrastructure in Connecticut.
Material security deficiency
A significant failure to maintain cybersecurity standards that could harm public safety or disrupt operations.

Limits and Unknowns

  • The bill does not specify penalties for non-compliance with the new requirements.
  • It is unclear how much funding will be allocated to the 'Connecticut Cybersecurity Seed Fund' grant program.

Bill History

  1. 2026-03-05 Connecticut General Assembly

    Public Hearing 03/10

  2. 2026-03-04 Connecticut General Assembly

    Referred to Joint Committee on Public Safety and Security

Official Summary Text

To establish various cybersecurity provisions relating to (1) a cybersecurity framework, (2) a prohibition on penalizing cybersecurity employees for certain reports, (3) notifications regarding cybersecurity incidents, (4) minimum safeguards, (5) quantum-transition readiness requirements, (6) the "Connecticut Cybersecurity Seed Fund" grant program, (7) a "bug bounty" program, (8) the dissemination of cybersecurity intelligence, (9) the State Cybersecurity Intelligence Task Force, and (10) the state's operational response to cybersecurity emergencies.

Current Bill Text

Read the full stored bill text 
LCO No. 2691 1 of 6

General Assembly Raised Bill No. 403
February Session, 2026 LCO No. 2691

Referred to Committee on PUBLIC SAFETY AND SECURITY

Introduced by:
(PS)

AN ACT CONCERNING CYBERSECURITY.
Be it enacted by the Senate and House of Representatives in General
Assembly convened:

Section 1. (NEW) (Effective October 1, 2026) As used in this section and 1
sections 2 to 11, inclusive, of this act: 2
(1) "Covered entity" means any business, health care entity or 3
government contractor operating in the state that maintains or possesses 4
sensitive data or operates critical infrastructure; 5
(2) "AAL3 identity assurance" means authentication requiring high -6
confidence identity proofing and forensic-grade verification of identity 7
credentials that resists impersonation, replay and credential 8
compromise; 9
(3) "Non-repudiation" means a security state in which no party to a 10
transaction can deny the validity of such transaction or a corresponding 11
access log; and 12
(4) "Material security deficiency" means a systemic failure to maintain 13
cybersecurity standards that poses a foreseeable risk to public safety or 14

Raised Bill No. 403

LCO No. 2691 2 of 6

operational continuity. 15
Sec. 2. (NEW) ( Effective October 1, 2026 ) (a) Notwithstanding any 16
provision of the general statutes, on and after July 1, 2027, any covered 17
entity that maintains a cybersecurity program in compliance with the 18
"Cybersecurity Framework 2.0 " published by the National Institute of 19
Standards and Technology and AAL3 identity assurance standards shall 20
be deemed in compliance with all applicable state laws and regulations 21
that establish equivalent cybersecurity requirements. 22
(b) Not later than July 1, 2027, each critical infrastructure entity shall 23
utilize decentralized security architectures that provide non -24
repudiation functions and eliminate centrally stored passwords or 25
biometrics. 26
Sec. 3. (NEW) ( Effective October 1, 2026 ) (a) No employer shall 27
discharge, discipline or otherwise penalize or threaten an employee 28
who is a cybersecurity professional because such employee, or a person 29
acting on behalf of such employee, reports a material security deficiency 30
or a failure to maintain non-repudiation standards to a supervisor or the 31
Division of Emergency Management and Homeland Security within the 32
Department of Emergency Services and Public Protection. 33
(b) The protections provided under subsection (a) of this section shall 34
be in addition to any protections provided under section 31 -51m of the 35
general statutes. 36
Sec. 4. (NEW) (Effective October 1, 2026) (a) Not later than seventy-two 37
hours after a covered entity discovers a cybersecurity incident resulting 38
in unauthorized access to sensitive data, disruption of public services or 39
operational continuity or material risk to such critical entity's sensitive 40
data, critical infrastructure, public services or operational continuity, the 41
covered entity shall notify the Division of Emergency Management and 42
Homeland Security within the Department of Emergency Services and 43
Public Protection. 44

Raised Bill No. 403

LCO No. 2691 3 of 6

(b) The notification shall include, to the extent known by the covered 45
entity: (1) A description of t he nature and scope of the cybersecurity 46
incident, (2) a description of the affected systems, networks or data, (3) 47
an estimate of the duration of the cybersecurity incident, and (4) an 48
assessment of any impact on the covered entity's operations, financial 49
effects or public impact. 50
(c) The c overed entit y shall provide supplemental notice to the 51
division as additional information becomes available. 52
Sec. 5. (NEW) (Effective October 1, 2026) On and after January 1, 2027, 53
each covered entity shall implement and maintain minimum 54
cybersecurity safeguards consistent with "cybersecurity framework" 55
principles published by the National Institute of Standards and 56
Technology, including, but not necessarily limited to: 57
(1) T he t imely installation of critical security patches and system 58
updates; 59
(2) The encryption of sensitive data at rest and in transit; 60
(3) The implementation of backup systems capable of restoring 61
operations in the event of a ransomware incident or system 62
compromise; and 63
(4) A cybersecurity risk assessment conducted at least annually. 64
Sec. 6. (NEW) (Effective October 1, 2026 ) (a) On and after January 1, 65
2028, each c ritical infrastructure entit y, health care provider, financial 66
institution and state agency shall adopt a quantum-transition readiness 67
posture, including , but not necessarily limited to, planning for 68
migration toward post -quantum cryptography approved by the 69
National Institute of Standards and Technology. 70
(b) On and after January 1, 2028, such entities, providers, institutions 71
and agencies shall implement cryptographic agility architectures 72
capable of rapid algorithm replacement in accordance with nationally 73

Raised Bill No. 403

LCO No. 2691 4 of 6

recognized standards. 74
Sec. 7. (NEW) ( Effective October 1, 2026 ) The re is established the 75
"Connecticut Cybersecurity Seed Fund" grant program. The Deputy 76
Commissioner of the Division of Emergency Management and 77
Homeland Security within the Department of Emergency Services and 78
Public Protection shall administer the program. Pursuant to such 79
program, the deputy commissioner shall provide grants-in-aid for the 80
establishment of decentralized and non -repudiated security solutions 81
by entities based in the state. An entity may submit an application for a 82
grant under this section in a form and manner prescribed by the deputy 83
commissioner. Not later than January 1, 2028, and annually thereafter, 84
the deputy commissioner shall submit a report on the program to the 85
joint standing committee of the General Assembly having cognizance of 86
matters relating to public safety and security in accordance with the 87
provisions of section 11-4a of the general statutes. 88
Sec. 8. (NEW) (Effective October 1, 2026) Not later than January 1, 2028, 89
the Division of Emergency Management and Homeland Security within 90
the Department of Emergency Services and Public Protection shall 91
establish a "bug bounty " program. Pursuant to such program, vetted 92
security researchers shall be authorized to identify cybersecurity 93
vulnerabilities in designated state -owned systems. Researchers 94
operating in good faith within the scope of the program shall be immune 95
from any liability, civil or criminal, which might otherwise be incurred 96
or imposed. 97
Sec. 9. (NEW) (Effective October 1, 2026) The Connecticut Intelligence 98
Center within the Division of Emergency Management and Homeland 99
Security within the Department of Emergency Services and Public 100
Protection shall collect and dissemin ate cybersecurity intelligence on 101
behalf of the state. 102
Sec. 10. (NEW) ( Effective October 1, 2026 ) (a) There is established a 103
State Cybersecurity Intelligence Task Force to analyze cybersecurity 104

Raised Bill No. 403

LCO No. 2691 5 of 6

intelligence matters, coordinate actions relating to cybersecurity and 105
identify systemic cybersecurity risks. 106
(b) The task force shall consist of the following members: 107
(1) The Commissioner of Emergency Services and Public Protection , 108
or the commissioner's designee; 109
(2) The Commissioner of Administrative Services, or the 110
commissioner's designee; 111
(3) The Adjutant General of the Military Department, or the Adjutant 112
General's designee; and 113
(4) The Deputy Commissioner of the Division of Emergency 114
Management and Homeland Security within the Department of 115
Emergency Services and Public Protection , or the deputy 116
commissioner's designee. 117
(c) The Commissioner of Emergency Services and Public Protection 118
shall select the chairpersons of the task force from among the members 119
of the task force. Such chairpersons shall schedule the first meeting of 120
the task force, which shall be held not later than December 1, 2026. 121
(d) The task force shall meet not less than quarterly and shall report 122
its findings and recommendations to the joint standing committee of the 123
General Assembly having cognizance of matters relating to public safety 124
and security in accordance with the provisions of section 11-4a of the 125
general statutes as the task force deems appropriate. 126
Sec. 11. (NEW) ( Effective October 1, 2026 ) (a) The Division of 127
Emergency Management and Homeland Security within the 128
Department of Emergency Services and Public Protection shall 129
coordinate the state 's operational response to cyber security 130
emergencies. 131
(b) The Deputy Commissioner of the Division of Emergency 132

Raised Bill No. 403

LCO No. 2691 6 of 6

Management and Homeland Security within the Department of 133
Emergency Services and Public Protection , or the deputy 134
commissioner's designee, shall serve as the primary liaison between the 135
State Cybersecurity Intelligence Task Force established pursuant to 136
section 10 of this act and local emergency management directors. 137
This act shall take effect as follows and shall amend the following
sections:

Section 1 October 1, 2026 New section
Sec. 2 October 1, 2026 New section
Sec. 3 October 1, 2026 New section
Sec. 4 October 1, 2026 New section
Sec. 5 October 1, 2026 New section
Sec. 6 October 1, 2026 New section
Sec. 7 October 1, 2026 New section
Sec. 8 October 1, 2026 New section
Sec. 9 October 1, 2026 New section
Sec. 10 October 1, 2026 New section
Sec. 11 October 1, 2026 New section

Statement of Purpose:
To establish various cybersecurity provisions relating to (1) a
cybersecurity framework, (2) a prohibition on penalizing cybersecurity
employees for certain reports, (3) notifications regarding cybersecurity
incidents, (4) minimum safeguards, (5) quantum -transition readiness
requirements, (6) the "Connecticut Cybersecurity Seed Fund" grant
program, (7) a "bug bounty" program, (8) the dissemination of
cybersecurity intelligence, (9) the State Cybersecurity Intelligence Task
Force, and (10) the state's operat ional response to cybersecurity
emergencies.

[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline, except
that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is not
underlined.]