In response to the increasing number of massive data breaches over the last several years, the Colorado legislature passed new requirements for protecting the personal information of Colorado residents. The Colorado Protections for Consumer Data Privacy (HB18-1128) applies to public and private organizations that handle, process, store or otherwise have access to electronic or printed personally identifiable information (PII) of Colorado residents.
Key actions organizations need to take include:
- Know the data – document what sensitive data is being recorded, how it flows through the environment and what controls are in place to protect it.
- Protect the data – implement appropriate security to protect it based on the environment, industry and threats.
- Destroy the data – only keep data, particularly sensitive information, as long as it is needed and then destroy it.
- Document – develop and implement formal security and privacy policies addressing Colorado requirements.
- Hold third parties accountable – integrate the security and privacy requirements into service provider agreements to ensure the responsibilities are understood.
- Prepare for a breach – like any disaster, planning ahead is critical. Organizations must have written procedures prepared to address reporting requirements and make sure everyone understands their role.
There are additional details, but these are the major items to address. The measures are required now, as the law went into effect on September 1, 2018. The law requires disclosure of a breach to the Colorado Attorney General, when that occurs, the AG’s office will investigate and determine if the reporting organization demonstrated due care or if penalties are appropriate. We recommend organizations review the requirements, implement missing components and make sure you are demonstrating due care.
If you have questions about these new requirements and the impact to your organization, please contact one of RubinBrown’s Cyber Security Services Group professionals.
Readers should not act upon information presented without individual professional consultation.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.
All Business Advisory News Cyber Security Overview