Last spring, Colorado followed the actions of several other states and countries by taking steps to enact legislation that helps consumers protect their data. The state passed the Protections for Consumer Data Privacy Act (HB18-1128). Signed into law on May 29, 2018, and taking effect on September 1, 2018, this legislation was dubbed, “the nation’s strongest privacy law” due to the law’s overarching precautions to thwart identity theft and protect consumers. This law not only encompasses large corporations, but also small businesses run by individuals. Only Colorado residents are covered under the legislation, but any organization storing a Colorado resident’s personal data is subject to the legislation, no matter their location in the United States. Key points in the Protections for Consumer Data Privacy Act include:
The use of the word “reasonable” in the first bullet is not further defined in the legislation. This was intended to provide the Colorado Office of the Attorney General with flexibility in enforcing the law, as businesses of different sizes and in different industries have varying levels of data volume and sensitivity. Personally identifiable information covered in this legislation includes:
Colorado lawmakers, along with lawmakers from other states and countries, are beginning to place heightened importance on consumer data security in the wake of massive data breaches such as the 2017 Equifax breach. There is a growing push nationally to give consumers more power over how their data is handled and destroyed, and how quickly they will be notified of breaches affecting them. Organizations across all industries must prepare for these changes immediately if they haven’t already done so. An important step in mitigating your risk of a data breach is an IT risk assessment. During these engagements, a third-party firm will review your information technology environment and identify risks, internal control weaknesses, and gaps in controls. Doing so will identify any shortcomings in your policies and procedures, and better prepare you for compliance with legislation such as this. Compass IT Compliance has been a trusted IT risk assessment partner for the past decade, helping organizations comply with GDPR, CCPA, MA 201 CMR 17, and Colorado’s HB18-1128. Contact us today to learn more about IT risk assessments, and if this service is the best fit for your unique data situation!