For most companies, the problem isn’t how to conform with Colorado’s new cybersecurity law – it’s making sure the company actually has a written plan and is following basic cybersecurity procedures. These laws have been in effect for years, not only in Colorado but across the country. This new Colorado law just tightens up a few things.

What Kind of Data?

The law covers Personal Identifying Information (PII), which includes things like a social security number, home address, phone number, name of employer, and any passwords or account ids.  In general, PII is information that can personally identify a particular person.  Unless individuals choose to become public figures, everyone has a right to privacy, and any organization that stores PII as a part of doing business must follow legal procedures when handling it.

Guarding Data

The law says companies must implement and maintain reasonable security measures to protect secured data. For example, if a sophisticated hacking operation penetrated industry-standard security procedures, that’s probably defensible. Accidentally leaking unprotected data on the web?  Probably not.

At the very least, PII must be password protected and available to those who absolutely must access it, when and where that access is required, and not beyond. Also, policies must be appropriate for the data’s level of security – extremely critical data must be better secured.

A Written Policy

All companies should have some a written cybersecurity policy, answering questions like:

• What specific data contains PII?
• Who is authorized to handle it, and why?
• What 3rd party vendors might need to handle it?
• Under what conditions might that data be transferred to a 3rd party, and what is the transfer mechanism?
• What is the documented response if a data breach occurs?
• How, and how often, shall employees be trained on the company’s cybersecurity policy?

In particular, the new Colorado law says that companies must have a written policy for how and when to dispose of PII pertaining to Colorado residents.

Reporting Breaches

In one of the more specific sections, Colorado law says that in the event of a data breach, companies must.

• notify affected individuals within 30 days
• notify the Colorado attorney general’s office if more than 500 individuals were impacted
• notify credit reporting agencies if more than 1000 individuals were impacted

The main takeaway is: don’t wait for an incident to figure out what do to.  Plan ahead!