Colorado Governor Signs New Cyber Security Bill Into Law
Effective September 1, 2018, *ALL* companies doing business in Colorado will have just 30 days to notify residents if their data was breached. That is just one of the new rules.
The rules apply to both government entities and businesses, which is a bit of a surprise. Different laws, but basically the same requirements.
What will businesses need to do?
- Have a written policy for the destruction or proper disposal of paper and electronic documents containing personal information.
- Implement and maintain reasonable security procedures and practices that are appropriate to the nature and size of the business. While this gives you a lot of wiggle room, you may need to justify to a judge or the attorney general why you called your practices reasonable. A much safer route would be to implement best commercial security practices. That would maker it much harder for the judge to argue with you.
- If you use any third party services (which is pretty much everybody), you must require that third party to implement and maintain reasonable security practices and procedures unless you choose to be liable for their practices instead (which is not a great idea).
- In case of a breach, notify residents providing specific information about the breach. If the business does not have sufficient information to contact residents directly or if the cost of contacting residents will exceed $250,000 (or a couple of other reasons), an alternate notification process will kick in, which includes a prominent notice on the company’s web site and notification via state-wide media.
- If the breach affects more than 500 people, the business must notify the attorney general and if it affects more than 1,000 people, the business must also notify the credit reporting agencies. Consumers cannot waive these rights in a contract or other agreement.
- If encrypted data is breached, notification is not required if the encryption mechanism is not compromised. This means that if a powered off laptop which is encrypted is stolen, then notification is likely not required, but otherwise, it probably is required.
- Criminal charges may be brought against a business under certain circumstances.
This law leaves a lot of leeway for the Attorney General to interpret things and the current AG was very active in shaping this bill, so I would not count on her being lax when it comes to prosecution.
by 