Colorado’s new cybersecurity law is among the strictest in the nation. What does it require, and what does that mean for companies that do business in the state?
On September 1, 2018 Colorado enacted a new cyber law to protect the personal information of state citizens to an unprecedented degree. It does this by placing much firmer controls on how businesses and people (“covered entities”) handle confidential information and data breaches. Any Colorado business which even suspects a breach must promptly carry out an investigation.
Covered entities are anyone that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation. Personal identifying information must be protected from unauthorized access, use, modification, disclosure, or destruction.
Personal information is defined as an individual’s name, plus any of the following:
- Social security number, personal identification number or bank details
- Passwords and pass codes
- Official state or government-issued driver’s license
- Identification card number and Government passport number
- Biometric data
- Employer, student, or military identification number
Financial transaction devices, meaning anything a consumer uses to send or receive money, are also protected under the new law.
The law was amended in November 2018 to further affect HIPAA-regulated entities. Most HIPAA (the Health Insurance Portability and Accountability Act) cybersecurity standards were deemed effective enough to already be following the new Colorado law when it was passed—but the amendment brought HIPAA data breach notification times (60 days, previously) in line with other businesses which now have half that time to act.
The notification window is even tighter for HIPAA-regulated entities if 500 or more individuals have their personal data compromised. They then have only 7 days to inform the attorney general of the incident.
Putting the shorter compliance window into perspective
Colorado businesses now have a maximum of 30 days to inform their customers by mail, telephone, or electronic means if their personal information has been compromised. About a month may seem like ample time, so why is the new law considered so strict?
It’s because the average time taken by American businesses to even notice they’ve been breached is 196 days, according to 2018 data from the Ponemon Institute. Compound that with the average 69 further days required to contain that breach and you’re looking at 265 days before the problem can even start to be solved—and some businesses haven’t historically notified affected parties until they have a handle on the problem.
The new law greatly reduces a potential period of 196 days to 30, requiring Colorado businesses to exert a massive degree of awareness and control over their cybersecurity. There’s little room left for ignorance of the risks, or negligence in mitigating them and notifying affected individuals.
More on what the new law means for Colorado businesses and third parties
The law also addresses how personal information, both paper and electronic, is disposed of once it is no longer necessary for business operations. Deletion/destruction must be secure and final, and businesses must develop and maintain a written policy for doing so.
Unless a covered entity agrees to supply its own security protection for the information it discloses to third parties, the covered entity will be held responsible if it doesn’t require the third party to implement and maintain its own security measures regarding the data. Both parties must be incapable of accessing personal identifying information after it has been deleted.
If the data of more than 1,000 people is believed to have been breached, businesses must notify consumer reporting agencies that compile and maintain consumer files nationwide such as Experian, TransUnion, and Equifax. This will provide a credit freeze on compromised accounts to prevent victims from being further exploited.
If 250,000 people are compromised or the breach is estimated to cost more than $250,000, a business must take more immediate and extensive notification steps. Affected individuals must be notified by email only (the fastest possible means), the company website must immediately display a prominent warning of the breach, and statewide media must be notified.
All notifications of the breach must clearly display the date/estimated time of occurrence, the type of data affected, the estimated negative impact, and toll-free numbers, websites, and addresses that the public can use to gain further information.
How businesses will pay for non-compliance
Non-compliance is worryingly common, at least as of February 2019. Many Colorado businesses weren’t even aware of the new law, and those who’ve been complying have reported upwards of 90,000 cases of compromised personal information. The true figure is likely to be much higher, since reporting is only necessary if 500 or more people are impacted.
Aside from non-compliance penalties, the raw cost of a data breach is high; a given business could be looking at losses of $3.86 million at an average of $148 per compromised record (the national average costs of a data breach). On top of those expenses, the “Colorado Attorney General’s office may investigate and press charges; civil penalties may reach $2,000 per affected person [and] $500,000 per incident.”
Those are the hard numbers. The ultimate expense can only be guessed at. The above direct breach costs and penalties may only be the beginning if those affected by a breach decide to litigate. Lawsuits and lost customer trust can also mean a dramatic loss of profits, and a damaged reputation might never recover.
How CyberGuard360 can help businesses become compliant
Colorado businesses have two choices in 2019: upgrade their current data management security plan or build a new one from scratch. Either way, they must implement and maintain reasonable security practices and procedures appropriate to the nature of the data they deal with, and the nature and size of their business.
Making all possible effort is essential to protect customers and prevent the penalties of negligence. Businesses which prove they’ve been compliant and proactive will suffer less from a breach—for example, penalties stemming from Colorado data laws don’t apply if personal information has been encrypted, redacted, or otherwise secured.
CyberGuard360 can help Colorado businesses comply with the law by providing over 60 NIST-based Policy Templates, cutting edge cybersecurity software, industry-leading policy management, and many other services. Let us help you protect your business and its data.
At Cyberguard 360, our clients are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, training, and disaster recovery. Call 844-315-9882 or complete our contact form.