Changes to Colorado's Data Privacy Laws

Every Colorado-based company is now required to take active steps to both protect customer and prospect data, and follow very specific procedures if they experience a data breach.

Are you prepared?

Today, our digital data is ubiquitous. Billions of devices transfer exabytes of data to servers throughout the globe. Every app on our phones collects data and everything we share, upload or download, e.g., pics, documents, text messages, emails, videos, etc., has the potential to be compromised. On average, 6 million data records are either lost or stolen daily, and this has a higher probability of increasing than decreasing.

State and Federal government agencies have taken notice. Agencies worldwide are moving towards enacting data privacy laws. In 2018, the EU’s General Data Privacy Regulation (GDPR) went into effect and sent a clear message that data security, portability, and an individual’s right to access their own data (along with having it erased) is of the highest priority in today’s digital economy.

On September 1, 2018, Colorado followed suit with amendments to its own data protection laws. If you haven’t heard of the new laws, now is the time to brush up. You could be held liable if you aren’t prepared. This overview will brief you on what you need to know if you do business with Colorado residents.

If you’re storing or interacting with customer or personal data, you’re obligated.

According to the Colorado State Attorney General, any entity — whether commercial, governmental or at the individual level (a person) — must comply with Colorado’s Consumer Data Protection Law if they are gathering, storing, maintaining, or licensing personal identifying information (PII) of a Colorado resident. Examples of PII include social security numbers, driver’s license numbers, email addresses, usernames, passwords, passcodes, student identification numbers, biometric data, and more.

Colorado’s Consumer Data Protection law extends beyond its borders as well. If any Colorado resident or entity conducts business with an individual or entity in any other state, that out of state individual or entity is also legally bound to comply with Colorado’s Consumer Data Protection Law.

What does this mean to you?

If you’re collecting any sort of private data from Colorado residents, you must “implement and maintain reasonable security procedures and practices.” Colo. Rev. Stat. § 6-1-713.5 You also have to develop in-house procedures and implement a written policy to make sure the personal information you’ve collected is destroyed when it’s no longer needed.

Now is the time to assess the security of your data and communication systems. They must be secure enough to prevent “unauthorized access, use, modification, disclosure, or destruction of personal information.” If you can’t prove you’ve taken these precautionary steps, you can be held liable in the event of a data breach and prosecuted by the Attorney General’s Office.

If you do have a data breach, you must follow specific steps

Colorado’s data privacy law prescribes specific steps that entities must take if their data systems have been breached. Entities can be held liable if they haven’t taken appropriate precautions or followed the precise breach notification process outlined in the privacy law.

The law defines “breached information” as unencrypted personal information (or encrypted information if the encryption method was also comprised) that includes a Colorado resident’s first name or first initial and last name along with at least one additional piece of identifying data such as their:

• Social Security Number
• Biometric data
• Medical information
• Driver’s license number (or any other government-issued identification)
• Usernames and passwords or security questions/answers
• Email addresses and passwords or security questions/answers
• Account numbers including credit or debit card information

So, what do you need to do if you think your system has been breached?

First, you’ll need to conduct an investigation to determine whether the data could possibly be misused.” If there is a possibility that the personal data is at risk, you only have a 30-day window from the discovery of the data breach to notify all impacted Colorado residents. You’re required to let them know what information was compromised, when it was compromised, what steps they can take to protect themselves, and what agencies they can contact for help. There is very specific language that must be used with these notifications.

Next, it’s critical to quantify how many personal records were affected because each threshold requires more extensive action. If the breach affects at least 500 Colorado residents, you also have to inform the Colorado Attorney General within 30 days of the security breach. And if the breach affects 1,000 or more, you’ll need to notify the three major consumer reporting agencies (i.e., Equifax, Transunion, and Experian) as well.

Notifications can be sent by post, telephone, or electronically. But there is quite a bit of legalese outlining the appropriate notification method depending on the circumstance. If you do experience a breach, you may want to seek the advice of legal counsel to make sure you are in compliance.

The bottom line is, if you haven’t done so already, now is the time to align your security breach protocols with the Colorado data privacy law. The good news is that this can be automated if you have the latest data security systems in place. You can implement algorithmic alerts that will notify you if a security breach involves Colorado residents. You can even set parameters for the type of breached data, the number of Colorado residents affected, and the next steps you need to take to be in compliance. Covering your bases ahead of time will not only protect your clients and prospects, but will protect your business.

HIPAA isn’t just for healthcare companies anymore. If you’re HIPAA-compliant, you’re ahead of the curve

If you’re already compliant with the Health Insurance Portability and Accountability Act (HIPAA), then there’s nothing more you need to do to comply with Colorado’s data privacy law except follow its notification procedures in the event of a breach. In this respect, healthcare companies are ahead of the curve. HIPAA compliance mandates data security and has existing procedures in place for security breaches.

Adopting HIPAA compliance for your business will make you compliant with the new data privacy laws. HIPAA was originally created for healthcare providers and those entities handling Protected Health Information (PHI).to to give patients an array of rights over their personal and medical data. HIPAA compliance ensures the safety of this personal data across both written and digital records.

HIPAA compliance is aligned with Colorado’s new data privacy laws. Colorado’s data privacy law extends to all individuals’ data whether health related or not. . Now, Personal Identifying Information (PII) of all Colorado residents have the same protection that HIPAA provides.

You can get in front of the Colorado data privacy laws by adopting data security systems that align with HIPAA compliance laws.

Keep in mind, however, you’ll still need to comply with Colorado’s data breach notification schedule, but you’ll be that much more ahead of the game. Think of every system that touches/contains your customer and prospect data. Are they secure?

Think about all the ways that you interact with clients across all channels — your website’s contact forms, email, phone, chat, video conferencing, social media, apps etc. How many of these channels are in compliance with Colorado’s new data privacy law? What information are you collecting and does it apply to Colorado’s definition of PII?

A fail-safe way to comply with these new laws is to make sure that your key systems are HIPAA/security-compliant.

Some common business systems to validate:

• Your Customer Relationship Management (CRM) and/or Help Desk software
• Your live chat software
• Your billing software
• Your email software

How to get started?

In general, most companies tackle this effort with a task force led by an operational lead. Showing that you’ve tightened security processes and procedures inside your company, trained your team members breach protocols, and validated that customer and prospect information systems are compliant will not only protect you but also your biggest assets — your customers.

To learn more about Colorado’s Consumer Data Protection Law, contact the Office of the Colorado Attorney General.

Article

What every Colorado company needs to know about new privacy laws