Author: Tristan Neate, CP Cyber
On September 1st Colorado’s (HB18-1128) went into effect. This law takes one of the toughest stances on consumer data protection in the country and the implications affect consumers, business owners and government branches . The law requires Colorado businesses and government entities to dispose of unused data, disclose breaches, and protect data.
Consumers
Consumers benefited greatly from these changes and overall gained much more insight into exactly how businesses are protecting their data, from start to end. Businesses are now required to have a written policy regarding the disposal of personal information (license number, social security number, etc.). This policy must not only disclose how the data will be destroyed, but when it will be destroyed. This time frame must be within a reasonable period after the data is “no longer needed”. The intent behind this law is to give the consumers more insight into how their data is being handled while also forcing businesses to remove that data once it’s no longer needed to eliminate the chance of it being breached.
In the event that a data breach does occur, the business entity now has 30 days from detection to notify its consumers. Additionally, if a data breach exposes the data of more than 500 Colorado residents, then the business must notify the Colorado Attorney General or its office. Notifying the Attorney General, will ensure that the notification of consumers is timely and comprehensive. This is another big victory for the consumer as companies can no longer beat around the bush when something has gone wrong, they must keep the consumer in the loop.
Business Owners
While the changes previously mentioned will greatly benefit consumers, they won’t have a large impact on the daily operations of businesses. What could lead to larger impacts to business owners is Section 6-1-713.5, “… shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations”. By leaving “reasonable security procedures” undefined there’s a great deal left up to interpretation. As of now it’s left up to the business to decide, but its certainly not hard to see this law evolving into requiring all businesses that handle sensitive data to have a recent penetration test or security assessment performed by a third party. All it takes is one massive breach to occur with the responsible company avoiding full prosecution by claiming they deemed they had “reasonable security procedure” to get the support for that change. The New York Cybersecurity Regulations already impose this legislation on its financial institutions.
Government entities received a section that subjects them to all of these requirements.
More About CP Cyber
CP Cyber is a full service cyber security consulting firm helping our clients uncover risks and build top of the line defenses to prevent cyber crimes. To find out more about us visit our homepage here: https://cpcyber.com/ or follow our Colorado Cyber Security Google Page.