Colorado’s new House Bill 18-1228 strengthens privacy and cybersecurity legislation for any business operating in state, whether based here or not. Consequently, Colorado business needs to pay more attention to how they handle their data as of September 1, 2018.
New Definition of Personal Information
The Bill defines personal information as a resident’s first name or first initial and last name with one or more of the following:
- Social Security number
- Student, military or passport identification number
- Driver’s license number or identification card number
- Medical information (new)
- Health insurance identification number (new)
- Biometric data (new)
- User name or email with password or security questions and answers (new).
- Account or credit card number with password, access code, or security code allowing access to an individual’s account (new).
A business must notify the Attorney General of a data breach if they reasonably believe it affects more than 500 residents, even if they follow the Gramm-Leach-Bliley Act or HIPAA (new).
You must notify residents and the Attorney “not later than thirty days after the date of determination that a security breach occurred” (new). The Bill also includes exacting content requirements for Colorado resident notifications (new).
What Should You Do?
Colorado businesses should protect themselves against the serious consequences of a cybercrime in several ways.
First, your company should have a written information security program, incident response plan, and data destruction protocols for paper and electronic files consistent with the Bill. Second, you should establish third-party controls. Finally, you should protect your business from the financial implications of lawsuits and enforcements actions should a breach occur. Let’s look at each measure.
The Bill states business should implement security measurers “appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”
Basically, the more sensitive the data, the more need for protection. Regardless of business size, it is important you budget properly for cyber security.
If your business transfers sensitive data to third-parties to maintain, store, process, or destroy personal information on your behalf, it’s your responsibility to ensure it is properly protected.
You can insist they do so within contracts, but that doesn’t guarantee they’ll implement and maintain reasonable security procedures and practices. That brings us to the final point – protecting your business against lawsuits and enforcement actions, even if they’re caused by a third-party.
Enforcements & Lawsuits
When a cybercriminal accesses personal information, it often leads to regulatory enforcements. Depending on your industry, your business may need to deal with the Federal Trade Commission, the Securities Exchange Commission, the Financial Industry Regulatory Authority, the Department of Health and Human Services, the Federal Communications Commission, financial organizations, and the Attorney General. They may levy stiff fines and penalties, or file a lawsuit. You may also face civil litigation or class-action lawsuits.
Dealing with a data breach is very costly and time-consuming. The average cost of a cyber liability claim is $740,000. It also seriously impacts your reputation and leads to less revenue due to customer loss.
Cyber insurance offers you a way to mitigate risk at a very reasonable cost. It can reimburse you for the following, and more depending on the policy:
- Data breach costs, including lawyer’s fees, settlements, fine, penalties, notifications, and crisis and reputation management
- Loss or theft of digital devices
- Restoration or replacement of infected devices
- Ransom of your company’s data or network
- Costs associated with cyberattacks using malware, phishing, and other tactics
- Business interruption and downtime losses
- Third-party lawsuits alleging your company’s actions or negligence caused them financial loss
It is important to realize that your Business Owner’s Policy or General Liability insurance does NOT offer protection against this significant risk.
Young Insurance can review your business needs and tailor cyber liability insurance to protect your financial interests. We understand insurance policies, do the legwork, and access the best possible products at the most reasonable rates.
Cyber liability insurance is a reasonable, affordable precaution, even more necessary considering this tougher Bill. Contact us – we’re here to help.