New Connecticut Cybersecurity Law goes into effect 10/1/2021:

(d) (1) A covered entity's cybersecurity program, as described in subsection (b) of this section, shall be designed to do the following with respect to personal and restricted information: (A) Protect the security and confidentiality of such information; (B) protect against any threats or hazards to the security or integrity of such information; and (C) protect against unauthorized access to and acquisition of the information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates.
(2) The scale and scope of a covered entity's cybersecurity program shall be based on the following factors: (A) The size and complexity of the covered entity; (B) the nature and scope of the activities of the covered entity; (C) the sensitivity of the information to be protected; and (D) the cost and availability of tools to improve information security and reduce vulnerabilities.

Good thing that Energy Central provides some useful materials to help Companies manage these risks, to prevent from paying punitive damages in the event of a breach.