[BreachExchange] Defending Data: New Colorado Law Creates Stricter Obligations for Handling Data Breaches, Disposal, and Security

Inga Goddijn inga at riskbasedsecurity.com
Thu Jun 7 23:20:41 EDT 2018


https://www.jdsupra.com/legalnews/defending-data-new-colorado-law-creates-36929/

Last week, Governor John Hickenlooper signed a bill
<https://leg.colorado.gov/sites/default/files/documents/2018A/bills/2018a_1128_signed.pdf>
 with wide ranging implications for any entity that collects and maintains
the personal information of Colorado residents. The law, which goes into
effect on September 1, 2018, significantly bolsters the state’s data breach
notification requirements for both private and governmental entities and
puts in place new security and data disposal obligations. As with the
original Colorado state data breach law, the state attorney general has the
authority to bring an action against a violator to ensure compliance and/or
to recover direct economic damages resulting from the violation.

*Updated Data Breach Obligations*

The new law expands an entity’s obligations in the event of a data breach.
Entities must now notify all affected Colorado residents within 30 days of
the date of determination that a breach has occurred, and they must also
notify the Colorado attorney general within the same time period if the
breach is reasonably believed to have affected 500 or more Colorado
residents. The definition of personal information has also been expanded to
include, among other things, health information and information that would
permit a third party to access an individual’s user account (e.g., username
plus security questions or password).

In addition to a broader definition of personal information and a stricter
timeline for data breach notification, the new law has specific content
requirements for a data breach notification. Any notification must include:
(i) the date (or date range) of the breach, (ii) a description of the
personal information that was acquired or is believed to have been
acquired, (iii) contact information for an individual’s further inquiries,
(iv) contact information for consumer reporting agencies, (v) contact
information for the FTC, and (vi) a statement that the individual may
obtain information about fraud alerts and security freezes from the FTC or
credit reporting agencies.

*Data Disposal Plans and Security Obligations*

The new law also requires entities to create a written policy for the
destruction or disposal of documentation containing personal information.
These plans must require that such documentation be destroyed when no
longer needed.

Additionally, entities are required to maintain reasonable security
practices given the nature of the information being collected and the
entity’s size and operations. It is important to note that these
obligations are not limited solely to the entity. Each entity must also
pass these obligations down to any third-party service providers that
process personal information on their behalf, which will require updates to
vendor agreements where these provisions are not already included.

In light of this new law, any entity doing business in, or processing data
of residents in, Colorado would be wise to review its current policies.
Some requirements, including the tight deadline for data breach
notification and flow-down of security obligations to contractors, could
require further preparation and planning before September 1st.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180607/4ee2a0ef/attachment.html>


More information about the BreachExchange mailing list