— by Lindsey Ullian, Threat Stack Compliance Manager
Colorado has rightfully gained a reputation as one of the most socially progressive states as it was one of the first to adapt a regulated adult use marijuana marketplace. Now, Colorado is making news headlines again as it has adopted one of the nation’s strictest consumer privacy laws. The Colorado Consumer Protection Act (CCPA) is the result of a continued effort to protect residents’ personal data. Colorado’s law follows in theme with at least thirty-one other states that have heightened security surrounding consumers’ personal data and stands out as one of only twelve states that have imposed broader data security requirements.
Any company or public agency storing a Colorado resident’s personal data will now need a data-protection policy, an efficient breach notification system, and the capability to destroy the data when it is no longer needed. Whether you are a small company of one person or a Fortune 500 company, as long as you have customers in Colorado, you must comply with this new law. And whether or not your business is located in Colorado is irrelevant — what is key is whether you have customers located within the state.
For more details, take a look at the following article written by Kevin Kish, Privacy Technical Lead at Schellman & Company. In this article, Kevin highlights key takeaways from this law, as well as areas in which this law differentiates itself as one of the nation’s strictest data protection laws.
The Colorado legislature has added its weight to the growing shift towards data protection with the ‘Protections for Consumer Data Privacy’ (PCDP) Bill (H.B. 18-1128), a landmark piece of legislation which went into effect on September 1, 2018. The newly enforceable law brings about key provisions that toughen the state’s data breach notification requirements and sets the bar on developing and maintaining reasonable information security practices that safeguard personal data assets.
In this post we will take a closer look at the Bill and major areas to consider when developing or updating a privacy program to account for the PCDP.
Classification of Personal Identifiable Information (6-1-716)
Across all laws, personal data elements have multifarious categorizations, classifications, or groupings: those requiring enhanced protection may be defined as ‘sensitive’, ‘special categories’, or ‘PHI’; while other data may simply fall into the general PII bucket. Nonetheless, it’s important to differentiate the scope of ‘covered information’ as its classified under a particular law. In the case of Colorado’s Bill (H.B. 18-1128), the term ‘personal data’ refers to the following specific data elements relating to a Colorado Resident:
First name (or first initial) and last name in combination with any one or more of the following data elements (“personal identifying information”) that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:
- Social Security Number
- Student Identification Number
- Military Identification Number
- Passport Identification Number
- Driver's License Number
- Medical Information
- Health Insurance Identification Number
- Biometric Data
Additional personal data as defined per the law includes:
- Username or e-mail address in combination with a Password or Security Questions and Answers
- Account Number or Credit/Debit Card Number in combination with a security code, access code, or password that permits access to the account
Data Breach Notification Changes (6-1-716)
Tougher than any prior U.S. breach notification mandate, the PCDP’s allows organizations a maximum of 30 days to deliver proper notice to the affected individuals, unless involved law enforcement counsels otherwise. Coupled with this requirement, the bill does make room for organizations to investigate and determine whether a consumer breach notification is truly warranted. It’s yet to be seen when the Attorney General will recognize the commencement of the 30-day time period; however, organizations should always use reasonable judgement for any delayed notification to avert scrutiny by regulators and consumers. In cases where notification is needed, organizations are obligated to follow the protocols established under this bill, specifically, by including the following information in any communications relating to a security breach:
- Date(s) of security breach (actual, estimated, or estimated data range of events)
- A description of impacted personal information (first name, date of birth, social security number)
- Instructions for contacting the organization for information on the security breach
- Toll-free number, mailing address, and website for Consumer Reporting Agencies (CRA’s)
- Toll-free number, mailing address, and website for the Federal Trade Commission (FTC)
- A statement that the resident can obtain information from the FTC and CRA’s about fraud alerts and security freezes
In addition, the bill sets requirements for mandatory communication to affected individuals where the organization’s internal investigation determines that personal information has been or is likely to be exploited. In such a situation, the organization must:
- Direct the affected individual to change their password and security questions/answers
- Use alternate methods to contact the user other than those specified in the affected account
- Provide details on how encrypted information was deciphered
Organizations are also required to notify Colorado’s Attorney General’s office without undue delay, but no more than 30 days after a confirmed breach, in cases where the security breach is believed to affect more than 500 Colorado residents.
Mandatory Information Security Program (6-1-713.5)
As most personal data breaches have major consequences for affected individuals and the exploited organizations, the bill establishes requirements for implementing meaningful technical and organizational controls relevant to the types and categories of data being protected. Similar to the General Data Protection Regulation (GDPR) requirements in Article 32, organizations are challenged with developing a thoroughly considered and reasonable plan of “appropriate security,” which by its own nature could be a subjective undertaking based on the industry, experience, and types of personal data held. As such, organizations should consider a risk-based approach to link their security requirements with the specific security measures taken to meet the bill’s standards and ensure a balance among investments, allocation of resources, and optimization for high-risk areas.
Even where mature risk management programs are already established, organizations should evaluate the key information security stipulations set forth in the bill, including:
- Implementing security procedures and practices that are appropriate to the types of PII, nature and size of the business, and its operations
- Ensuring security protection for information disclosed to a third-party service provider
- Emphasizing protection from unauthorized access, use, modification, disclosure, or destruction
For those familiar with the General Data Protection Regulation’s enforcement capabilities, you may see similarities in the relevant authority’s ability to determine negligence and bring lawful action against an organization where warranted. And although the bill lacks the criteria that could quantify the potential financial impact for a negligent organization in relation to the Bills provisions, it does include conditions for Colorado’s Attorney General (AG) to bring action for injunctive relief in effort to enforce the provisions in the Bill, including criminal prosecution at the AG’s discretion.