Rebootwe make IT work

What "reasonable security" means for a Connecticut law firm

Last reviewed · July 14, 2026

The word shows up everywhere your obligations do. Reasonable efforts, in the conduct rule. Without unreasonable delay, in the breach statute. Reasonable data security practices, in the privacy act. Reasonable cybersecurity controls, in the act that decides punitive damages. No Connecticut authority defines it, and one statute skips the qualifier entirely and just says safeguard. What follows walks the sources in the shape you would want them walked: question presented, short answer, discussion, scope.

Question presented

A Connecticut firm holds client files, a trust account, and a mailbox that goes back years. Several Connecticut authorities require the firm to keep what it holds reasonably secure. What does the word require, and who decides?

Short answer

Nothing decides in advance. Two statutes and a professional conduct rule create the duty at increasing breadth, a privacy act adds its own version for firms inside its bounds, and one 2021 act lists the frameworks the legislature will accept as evidence of reasonableness. The operative definition gets assigned after an incident, by other people, reading whatever the firm was doing the day before. The practical objective is to make that reading uneventful.

Discussion

1. The baseline duty, which has no size floor. Conn. Gen. Stat. §42-471, on the books since 2008, applies to any person “in possession of personal information of another person.” The duty is one sentence: safeguard the data, computer files and documents containing that information from misuse by third parties, and destroy or make unreadable before disposal. A firm that collects Social Security numbers (closings, tax matters, estates) also owes a privacy protection policy, publicly displayed, that protects their confidentiality, prohibits unlawful disclosure, and limits access. Violations are unfair trade practices, and the Department of Consumer Protection can impose civil penalties of up to five thousand dollars per violation. Note the missing adverb: where everything else in this memo asks for reasonable, this statute just says safeguard, unqualified. Unqualified verbs are the ones counsel respects most. The rest of Connecticut law spends its energy describing how that one sentence will be judged.

2. The professional rule, which reaches the entire file. Rule 1.6(e) of the Rules of Professional Conduct: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” In force in Connecticut since January 1, 2014. Where §42-471 protects a defined list of identifiers, the rule covers everything relating to a representation, whatever its source. The commentary supplies the mercy: unauthorized access is no violation if the lawyer made reasonable efforts, judged by factors that include the sensitivity of the information and the likelihood of disclosure without added safeguards. After an incident, ABA Formal Opinion 483 picks up the thread, with duties to act promptly to stop and investigate a breach and to communicate with affected clients where required.

3. The breach statute, which defines the bad day in advance. Conn. Gen. Stat. §36a-701b. A “breach of security” is unauthorized access to or acquisition of computerized data containing personal information “when access to the personal information has not been secured by encryption” or an equivalent method. Notice runs to affected residents and to the Attorney General, “without unreasonable delay but not later than sixty days after the discovery of such breach.” Where Social Security or taxpayer identification numbers are involved, the firm also provides identity theft prevention services, at no cost, for at least two years. Failure to comply is itself an unfair trade practice, enforced by the Attorney General. The definition rewards a second read: personal information actually secured by encryption sits outside it, which makes laptop and phone encryption one of the few controls that can remove an entire statute from a bad day.

4. The privacy act, whose bounds moved this month. The Connecticut Data Privacy Act spent its first years out of most firms’ reach; it applied from 100,000 consumers a year. Public Act 25-113 took effect July 1, 2026 and redrew the entrance. The act now reaches persons doing business in Connecticut that processed the personal data of 35,000 or more consumers in the preceding year, and two new prongs carry no stated volume floor at all: controlling or processing consumers’ sensitive data, and offering consumers’ personal data for sale. Sensitive data, as amended, includes health conditions and diagnoses, immigration status, status as a victim of crime, and government-issued identification numbers. That reads like the contents of an ordinary client file in a family, injury, or immigration practice. Whether the act reaches your firm runs through definitions and exemptions this memo will not pretend to resolve; individuals dealt with in their business capacity are not “consumers,” and whole categories of entity are exempt. Put the coverage question to your own counsel this year rather than eventually. For a firm that is covered, the duty reads: “reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”

Where the word gets its content

The legislature never defined reasonable. In 2021 it did something more useful: it published the list of answers it will accept. Public Act 21-119 provides that in a Connecticut tort action alleging that a “failure to implement reasonable cybersecurity controls” resulted in a data breach, the Superior Court shall not assess punitive damages against a business that “created, maintained and complied with” a written cybersecurity program conforming to an industry-recognized framework. The named frameworks: the NIST Cybersecurity Framework, NIST special publications 800-171 or 800-53, FedRAMP, the CIS Critical Security Controls, the ISO/IEC 27000 series, and, for firms already regulated under them, the security requirements of HIPAA, Gramm-Leach-Bliley, FISMA or HITECH, with PCI DSS counting in combination with one of the others. The program must catch up within six months when a framework revises. The shield does not survive gross negligence or wilful and wanton conduct. And the act says plainly that a program may scale to the entity’s size and complexity, the nature and scope of its activities, the sensitivity of the information, and the cost and availability of tools. The ask is sized to the firm: a five-lawyer program, on paper, followed for real.

Enforcement reads the same way from the other side. The Attorney General’s office reported in February 2026 that its recent privacy work included flagging delayed and inadequate breach notices and finalizing multiple data breach settlements. And the fact patterns that recur in public breach enforcement, in Connecticut and elsewhere, are rarely sophisticated: the known vulnerability nobody patched, the mailbox without a second factor, personal data kept years after the matter closed, notice sent late. Hindsight assembles those into “unreasonable” without much effort.

The floor that clears it

For a small Connecticut firm, the floor under every source above looks like this, written into the program as what the firm actually does:

  • A written security program conforming to a named framework, with one owner and a review date. For most small firms the CIS Controls fit; the choice of framework matters less than conformance you can show.
  • Multi-factor authentication anywhere client information sits behind a password, the mailbox first.
  • Encryption on every laptop and phone that can hold client data. Section 36a-701b is the reason this one pays for itself.
  • Backups someone has watched restore, with the date of the last test written down.
  • A one-page bad-day sheet: who gets the first call, breach counsel’s number, the carrier’s notice line, and the sixty-day outer limit noted at the top.

Write the program at the level the firm meets on its worst week, and let practice run above the paper. When the word finally gets applied to your firm, the document and the reality have to match. Generous language in the program becomes evidence weighed against you, supplied by you.

Scope of this memorandum

Orientation only. Application of any statute above to your firm’s facts belongs to your own counsel, and the sensible order is counsel first, controls second, so the program you write matches the duties you actually carry. We do the controls half for Connecticut firms: the frameworks, the second factors, the restore tests, the evidence. If that half is where you want a second set of eyes, bring your current program, or the absence of one, to a fifteen-minute call: book a call.

Built for the desks we describe here →Book a 15-minute call →