A new law that took effect on Saturday gives Colorado some of the most demanding standards for consumer data protection in the country. And businesses and government agencies that keep Coloradans’ personal information need to ensure they are ready to comply, experts say.
The Protections for Consumer Data Privacy Act was signed into law May 29 after winning unanimous approval during Colorado’s 2018 legislative session.
Primary sponsor Cole Wist celebrated the measure as “the nation’s strongest data privacy law” in a tweet that day. The Centennial Republican wrote the rules “will better protect CO consumers and will reduce the risk of identity theft.”
The law establishes three key responsibilities for businesses and government entities that keep either paper or electronic documents containing Coloradans’ personal identifying information, the Colorado Office of the Attorney General says. It applies to all businesses, from one-person operations or multi-national corporations.
- Businesses and agencies must have a written policy explaining how they will dispose of the personal information they keep and follow through on those procedures.
- If a data breach is detected, entities must alert consumers that their data has been compromised within 30 days. If more than 500 Coloradans are impacted, the entity must alert the attorney general’s office.
- Entities must take “reasonable” steps to protect the personal information they keep.
“The legislature did a good thing here,” said Erik Dullea, a partner in the Denver office of of the law firm Husch Blackwell with a specialty in cyber security law. “They recognized that society is starting to have a change of mind-set when it comes to retaining data. If you’re one of these covered entities, you need to have your protection and policies in place to protect that personal identifying information.”
That statute defines personal identifying information as Social Security numbers, driver’s license or ID numbers, personal passwords, health insurance ID numbers and biometric data such as fingerprints. Breaches, as outlined in a business-focused, frequently-asked-questions page on the attorney general’s website, include a hacker electronically accessing data, a mobile data storage device or computer being misplaces or unencrypted information being sent through a payment system.
Dullea notes that the law does not specifically define the “reasonable” steps entities must take to protect data. That was intentional, state officials say. The standard was intended to be flexible because different sized businesses and entities keep different kinds of data that may require more or less protection.
“What is reasonable will be further defined through the case law that evolves as a result of the enforcement of this law as well as other state laws with the same or similar standard,” Annie Skinner, a spokeswoman with the attorney general’s office, said of the standard.
The law does not give consumers the right to sue in the event of a leak. Enforcement power lies with the attorney general.
Using a third-party data management firm does not exempt a company from responsibility, Dullea said. Businesses need to understand the protection policies their contractors have in place and make sure they too comply with the law.
Grand Junction-based Colorado Document Security is one of those third-party contractors. The company shreds and disposes of documents for clients in four states. Its vice president, Scott Fasken, is a past president of the trade group the National Association of Information Destruction. He recommends businesses with a lot of document shredding and data destruction needs contract with firms certified by NAID that have downstream data insurance that can cover the cost of informing consumers in the event of a breach.
Another recommendation: Don’t keep data longer than necessary.
“If businesses have personal identifying information, they have a responsibility under the law to keep it for the shortest time necessary and destroy it in a professional, safe and compliant way,” he said.
Recent incidents such as the 2017 Equifax data breach that exposed the information of more than 145 million Americans and the Cambridge Analytica data mining scandal have made data security a hot-button issue for many. A California law that takes effect in 2020 gives consumers the right to know what data companies are keeping on them, for what purpose and gives them power to order that it be deleted, mirroring new regulations adopted by the European Union.
Colorado’s law doesn’t go that far, but it does strengthen consumer protections in a state recently rated the second riskiest for identity theft.
“The damage caused by identity thieves can be life-altering for their victims, and this is an important piece of legislation that will help better protect Colorado consumers,” Colorado Attorney General Cynthia Coffman said in statement.