Colorado’s data breach law applies to any entity, whether a business or individual, that maintains, owns, or licenses personal information and their non-affiliated third party service providers.
As of September 2018, this law has an expanded scope that could affect your business. Here’s what has changed.
Broader Definition of Personal Information
The new act expands the former definition of “personal information.” It now includes a combination of a person’s first name or initial and their last name when attached to unsecure on unencrypted medical, health insurance, or biometric data.
The statute also provides protection for personal information such as a person’s user name or email address when combined with their password or security question that could allow a hacker to access their online account.
The new law now requires companies notify Colorado residents within 30 days from the moment you realize there’s been a breach and when sufficient evidence leads you to conclude it could affect a resident’s security. This could be when it’s reasonable to presume the information could lead to misuse or if the breach already led to illegal actions.
If a data breach affects 500 or more Colorado residents, your business must also notify the Colorado Attorney General within the 30-day timeframe.
Colorado Amendment Takes Precedence
If your business follows state or federal regulations or laws inconsistent with the new data breach law, the one with the shortest notification timeframe takes precedence. It is almost guaranteed it will be no more than 30 days as provided under the new law.
For instance, notifications for a HIPAA breach are now 30-days due to the new law, not the 60-days allowed by federal legislation.
Data Protection & Destruction
The new law also requires covered entities to implement and maintain “reasonable security procedures and practices that are appropriate to the nature of the personal identifiable information and the nature and size of the business and its operations.” Basically, the bigger the organization the more resources you need to invest in security.
The statute includes the development and maintenance of a Written Information Security Policy (WISP) for data destruction procedures; whether paper or electronic files or electronic devices. You must also provide employee training so everyone understands your policies and procedures.
Responsibility for Non-Affiliated Third-Party Service Providers
Covered entities are responsible for data security of any information they disclose to third-party providers. Consequently, your company should implement and maintain technical controls that “effectively eliminate” their ability to access personal identifiable information, unless it is essential to their work.
Individuals and companies should also require all contracts include a requirement for immediate notification if a third-party service provider experiences a data breach to reduce lead time and damages.
No company wants to deal with a data breach, but they can occur despite your best efforts. Mitigate the impact on your business through affordable cyber liability insurance coverage. It can protect you from the substantial notification costs, legal fees, fines, and penalties if a data breach occurs.
State and federal legislation will only get tougher, making compliance even more difficult so cyber liability insurance is a reasonable, affordable measure.