A few years from now, stories like this may not even qualify as news. That’s how quickly cybersecurity laws—nearly unheard of until recently—are becoming the norm.
For now, though, each new law is worth noting, and the Colorado Protections for Consumer Data Privacy law, which took effect on September 1, is the latest law to hit the books in the US.
The Colorado legislature passed the law at the end of May, a few months after it was introduced. The law didn’t make a big splash at the time, perhaps because the entire cybersecurity world was talking about GDPR, which had taken effect only a few days earlier. Colorado’s law may be overshadowed again as it takes effect, given that California’s high-profile Consumer Privacy Act is still attracting attention.
While it may not be as broad in scope or have quite as much impact as Europe and California’s new regulations, the Colorado law is every bit as important for organizations that do business in Colorado, and it serves as another reminder that data protection laws will continue to proliferate in the US and around the world.
What’s New in Colorado
Like other recent cybersecurity laws, the Colorado law creates a broad definition of sensitive data, expands existing requirements for data breach notifications, and calls for strong protection for sensitive data. One particularly notable aspect of Colorado’s law is that, unlike the California law, it creates no exemption for small businesses. Colorado’s requirements apply to every organization that “maintains, owns, or licenses personal identifying information” of Colorado residents.
Definition of PII
Colorado’s definition of personally identifying information (PII) is very broad. The new law considers data to be PII if it contains a Colorado resident’s first name (or first initial) and last name together with one or more of the following:
- Social Security number
- Student, military or passport ID number
- Driver’s license number or ID card number
- Medical information, biometric information, or health insurance ID number
- Username or email address together with a password or security questions/answers
- Account number or card number together with a PIN or password
Notably, if data meeting the description above is encrypted, it is not considered PII in Colorado.
Requirement for Data Protection
The Colorado law creates the state’s first mandate for protecting sensitive information. Organizations are now legally obligated to implement reasonable security measures to protect documents (paper and electronic) that contain PII. The law does not define the word “reasonable,” nor does it call for the use of any specific technology, but frequent mentions of encryption elsewhere in the law suggest that persistent encryption may be the best bet for compliance, in addition to being the strongest possible form of data protection.
Colorado has implemented one of the toughest data breach notification requirements in the country. Covered entities are now required to notify affected individuals within 30 days of a security breach that involves personal information. Covered entities must also notify the Colorado Attorney General if a breach affects 500 or more Colorado residents, and must notify credit agencies if a breach affects 1,000 or more Coloradoans.
As with other data protection laws, organizations are exempted from breach notification requirements if the breached data is protected by encryption (assuming that the encryption key was not compromised in the same breach).
PK Protect Can Help
If your organization does business in Colorado, PK Protect can give you the capabilities you need in order to keep personal information safe from internal and external cyber threats. See it in action now.