Colorado Protections for Consumer Data Privacy Act - What to Know

Last spring, Colorado followed the actions of several other states and countries by taking steps to enact legislation that helps consumers protect their data. The state passed the Protections for Consumer Data Privacy Act (HB18-1128). Signed into law on May 29, 2018, and taking effect on September 1, 2018, this legislation was dubbed, “the nation’s strongest privacy law” due to the law’s overarching precautions to thwart identity theft and protect consumers. This law not only encompasses large corporations, but also small businesses run by individuals. Only Colorado residents are covered under the legislation, but any organization storing a Colorado resident’s personal data is subject to the legislation, no matter their location in the United States. Key points in the Protections for Consumer Data Privacy Act include:

• All organizations (commercial and government) must have a written policy which delegates how they store personally identifiable information (PII), as well as how they destroy this information when it is no longer needed. According to the legislation, “A covered entity that maintains, owns, or licenses personal identifying information of an individual residing in the state shall implement and maintain reasonable security procedures that are appropriate to the size of the business and its operations”
• If a data breach is detected, organizations must alert the affected consumers within 30 days, and if more than 500 Colorado residents are affected, the organization must alert the attorney general’s office
• Use of third-party data management firms does not remove responsibility from an organization in the event of a breach. It’s each organization’s responsibility to screen the data management and destruction policies in place for their third-party firms
• Consumers do not have the power to file lawsuits in the event of a breach. Enforcement power remains with the Colorado Office of the Attorney General

The use of the word “reasonable” in the first bullet is not further defined in the legislation. This was intended to provide the Colorado Office of the Attorney General with flexibility in enforcing the law, as businesses of different sizes and in different industries have varying levels of data volume and sensitivity. Personally identifiable information covered in this legislation includes:

• Social security numbers
• Passport numbers
• Driver’s license numbers
• Credit card information
• Student IDs
• Military IDs
• Medical and health insurance information
• Biometric data
• Usernames and passwords

Colorado lawmakers, along with lawmakers from other states and countries, are beginning to place heightened importance on consumer data security in the wake of massive data breaches such as the 2017 Equifax breach. There is a growing push nationally to give consumers more power over how their data is handled and destroyed, and how quickly they will be notified of breaches affecting them. Organizations across all industries must prepare for these changes immediately if they haven’t already done so. An important step in mitigating your risk of a data breach is an IT risk assessment. During these engagements, a third-party firm will review your information technology environment and identify risks, internal control weaknesses, and gaps in controls. Doing so will identify any shortcomings in your policies and procedures, and better prepare you for compliance with legislation such as this. Compass IT Compliance has been a trusted IT risk assessment partner for the past decade, helping organizations comply with GDPR, CCPA, MA 201 CMR 17, and Colorado’s HB18-1128. Contact us today to learn more about IT risk assessments, and if this service is the best fit for your unique data situation!