5 Things Companies Should Know About Colorado’s New Privacy Law

Colorado, the home of Dizzion headquarters, recently passed a major new privacy law that will affect any company that deals with the personal information of Colorado residents. This is a far reaching law that has been gaining a lot of attention — and that goes into effect in only two and a half months.

To help you get a handle on the changes and understand the potential impact, Dizzion turned to cybersecurity expert Mitch Tanenbaum, a Partner at CyberCecurity, to outline the must-know facts about the law and give organizations some guidance on what it means for them.

1. Why are lawyers calling the new Colorado Privacy law “Landmark”?

The new Colorado Privacy and Cybersecurity law, officially known as H.B. 18-1128 and which takes effect on Sep. 1, 2018, is a major change to Colorado’s privacy law. All companies who do business in Colorado and that handle personally identifiable information (PII) are required to comply. There is no exemption for small businesses. This is a very unusual situation.

2. What are the basic requirements of the law?

Businesses must implement and maintain reasonable security measures to protect documents containing personally identifiable information, both on paper and electronically. They must contractually require third parties that they share this data with, such as cloud service providers and other vendors, to implement those same reasonable security measures and they must implement a written policy covering the disposal of documents containing PII. In addition, the definition of PII in this law is extremely broad. Finally, businesses who have a data breach must notify the parties affected within 30 days with no extensions. This is the toughest notification provision in the country.

3. What is the definition of reasonable?

Conveniently, the law doesn’t define that, but they do say that it should be commensurate with the risk. Ultimately, if the Attorney General asks, you need to be able to convince her that what you have done is reasonable. It is our opinion that “reasonable” means “best practices” and those have become pretty clear for cybersecurity (see below).

Our current AG was very involved in the crafting of this bill, so assume that she has a strong opinion of what is reasonable. The definition of reasonable will be adjusted as a result of the lawsuits that the AG files over the next couple of years.

4. What are the consequences of not complying?

The Attorney General can sue for non-compliance and also to recover damages to Colorado residents. More significantly, the AG can file criminal charges if requested by any local District Attorney or the Governor.

5. What are the key components of a company’s reasonable security program?

Again, thinking in terms of “best practices,” some of the key components of a reasonable security program include:

• Create and implement a written information security program
• Perform a risk assessment annually
• Implement ongoing employee training
• Encrypt data at rest
• Implement a set of security policies and procedures
• Create a disaster recovery program
• Implement an incident response program
• Create a document/data retention and disposal policy
• Implement a third party/vendor cyber risk management program.

This is not an exhaustive list and it represents significant work, but it is also a very strong commitment to solving the problem. If you have done all of these things and the AG asks you to defend your program as reasonable, we think you are in a strong position to defend it.

CyberCecurity offers a Business Cybersecurity Certification Program that provides everything that most single-location businesses that do not have special security requirements (such as financial service, healthcare or defense companies) need. We can also assist companies with more complex requirements on a custom basis.