Colorado, the home of Dizzion headquarters, recently passed a major new privacy law that will affect any company that deals with the personal information of Colorado residents. This is a far reaching law that has been gaining a lot of attention — and that goes into effect in only two and a half months.
To help you get a handle on the changes and understand the potential impact, Dizzion turned to cybersecurity expert Mitch Tanenbaum, a Partner at CyberCecurity, to outline the must-know facts about the law and give organizations some guidance on what it means for them.
The new Colorado Privacy and Cybersecurity law, officially known as H.B. 18-1128 and which takes effect on Sep. 1, 2018, is a major change to Colorado’s privacy law. All companies who do business in Colorado and that handle personally identifiable information (PII) are required to comply. There is no exemption for small businesses. This is a very unusual situation.
Businesses must implement and maintain reasonable security measures to protect documents containing personally identifiable information, both on paper and electronically. They must contractually require third parties that they share this data with, such as cloud service providers and other vendors, to implement those same reasonable security measures and they must implement a written policy covering the disposal of documents containing PII. In addition, the definition of PII in this law is extremely broad. Finally, businesses who have a data breach must notify the parties affected within 30 days with no extensions. This is the toughest notification provision in the country.
Conveniently, the law doesn’t define that, but they do say that it should be commensurate with the risk. Ultimately, if the Attorney General asks, you need to be able to convince her that what you have done is reasonable. It is our opinion that “reasonable” means “best practices” and those have become pretty clear for cybersecurity (see below).
Our current AG was very involved in the crafting of this bill, so assume that she has a strong opinion of what is reasonable. The definition of reasonable will be adjusted as a result of the lawsuits that the AG files over the next couple of years.
The Attorney General can sue for non-compliance and also to recover damages to Colorado residents. More significantly, the AG can file criminal charges if requested by any local District Attorney or the Governor.
Again, thinking in terms of “best practices,” some of the key components of a reasonable security program include:
This is not an exhaustive list and it represents significant work, but it is also a very strong commitment to solving the problem. If you have done all of these things and the AG asks you to defend your program as reasonable, we think you are in a strong position to defend it.
CyberCecurity offers a Business Cybersecurity Certification Program that provides everything that most single-location businesses that do not have special security requirements (such as financial service, healthcare or defense companies) need. We can also assist companies with more complex requirements on a custom basis.
Nov 08, 2018
Learn how Dizzion helped Mindseeker create a secure, HIPAA compliant, easily scalable environment for remote medical coders. READ MORE
Nov 01, 2018
Virtual desktops benefit everyone in an organization, but these three personas stand to gain the most and should be the biggest proponents. READ MORE
Oct 25, 2018
The winter months bring many reasons employees may be away from the office. Be sure you have the tools to sustain business continuity this season. READ MORE