— by Lindsey Ullian, Threat Stack Compliance Manager
Colorado has rightfully gained a reputation as one of the most socially progressive states as it was one of the first to adapt a regulated adult use marijuana marketplace. Now, Colorado is making news headlines again as it has adopted one of the nation’s strictest consumer privacy laws. The Colorado Consumer Protection Act (CCPA) is the result of a continued effort to protect residents’ personal data. Colorado’s law follows in theme with at least thirty-one other states that have heightened security surrounding consumers’ personal data and stands out as one of only twelve states that have imposed broader data security requirements.
Any company or public agency storing a Colorado resident’s personal data will now need a data-protection policy, an efficient breach notification system, and the capability to destroy the data when it is no longer needed. Whether you are a small company of one person or a Fortune 500 company, as long as you have customers in Colorado, you must comply with this new law. And whether or not your business is located in Colorado is irrelevant — what is key is whether you have customers located within the state.
For more details, take a look at the following article written by Kevin Kish, Privacy Technical Lead at Schellman & Company. In this article, Kevin highlights key takeaways from this law, as well as areas in which this law differentiates itself as one of the nation’s strictest data protection laws.
The Colorado legislature has added its weight to the growing shift towards data protection with the “Protections for Consumer Data Privacy” (PCDP) Bill (H.B. 18-1128), a landmark piece of legislation that went into effect on September 1, 2018. The newly enforceable law brings about key provisions that toughen the state’s data breach notification requirements and sets the bar on developing and maintaining reasonable information security practices that safeguard personal data assets.
In this post we take a closer look at the Bill and major areas to consider when developing or updating a privacy program to account for the PCDP.
Classification of Personal Identifiable Information (6-1-716)
Across all laws, personal data elements have multifarious categorizations, classifications, or groupings: Those requiring enhanced protection may be defined as “sensitive,” “special categories,” or “PHI;” while other data may simply fall into the general PII bucket. Nonetheless, it’s important to differentiate the scope of “covered information” as it’s classified under a particular law. In the case of Colorado’s Bill (H.B. 18-1128), the term “personal data” refers to the following specific data elements relating to a Colorado Resident:
First name (or first initial) and last name in combination with any one or more of the following data elements (“personal identifying information”) that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:
- Social Security Number
- Student Identification Number
- Military Identification Number
- Passport Identification Number
- Driver’s License Number
- Medical Information
- Health Insurance Identification Number
- Biometric Data
Additional personal data as defined per the law includes:
- Username or email address in combination with a Password or Security Questions and Answers
- Account Number or Credit/Debit Card Number in combination with a security code, access code, or password that permits access to the account
Data Breach Notification Changes (6-1-716)
Tougher than any prior U.S. breach notification mandate, the PCDP’s allows organizations a maximum of 30 days to deliver proper notice to the affected individuals, unless involved law enforcement counsels otherwise. Coupled with this requirement, the bill does make room for organizations to investigate and determine whether a consumer breach notification is truly warranted. It’s yet to be seen when the Attorney General will recognize the commencement of the 30-day time period; However, organizations should always use reasonable judgement for any delayed notification to avert scrutiny by regulators and consumers. In cases where notification is needed, organizations are obligated to follow the protocols established under this bill, specifically, by including the following information in any communications relating to a security breach:
- Date(s) of security breach (actual, estimated, or estimated data range of events)
- A description of impacted personal information (first name, date of birth, social security number)
- Instructions for contacting the organization for information on the security breach
- Toll-free number, mailing address, and website for Consumer Reporting Agencies (CRAs)
- Toll-free number, mailing address, and website for the Federal Trade Commission (FTC)
- A statement that the resident can obtain information from the FTC and CRAs about fraud alerts and security freezes
In addition, the bill sets requirements for mandatory communication to affected individuals where the organization’s internal investigation determines that personal information has been or is likely to be exploited. In such a situation, the organization must:
- Direct the affected individual to change their password and security questions/answers
- Use alternate methods to contact the user other than those specified in the affected account
- Provide details on how encrypted information was deciphered
Organizations are also required to notify Colorado’s Attorney General’s office without undue delay, but no more than 30 days after a confirmed breach, in cases where the security breach is believed to affect more than 500 Colorado residents.
Mandatory Information Security Program (6-1-713.5)
Because most personal data breaches have major consequences for affected individuals and the exploited organizations, the bill establishes requirements for implementing meaningful technical and organizational controls relevant to the types and categories of data being protected. Similar to the General Data Protection Regulation (GDPR) requirements in Article 32, organizations are challenged with developing a thoroughly considered and reasonable plan of “appropriate security,” which by its own nature could be a subjective undertaking based on the industry, experience, and types of personal data held. As such, organizations should consider a risk-based approach to link their security requirements with the specific security measures taken to meet the bill’s standards and ensure a balance among investments, allocation of resources, and optimization for high-risk areas.
Even where mature risk management programs are already established, organizations should evaluate the key information security stipulations set forth in the bill, including:
- Implementing security procedures and practices that are appropriate to the types of PII, nature and size of the business, and its operations
- Ensuring security protection for information disclosed to a third-party service provider
- Emphasizing protection from unauthorized access, use, modification, disclosure, or destruction
For those familiar with the General Data Protection Regulation’s enforcement capabilities, you may see similarities in the relevant authority’s ability to determine negligence and bring lawful action against an organization where warranted. And although the bill lacks the criteria that could quantify the potential financial impact for a negligent organization in relation to the Bill’s provisions, it does include conditions for Colorado’s Attorney General (AG) to bring action for injunctive relief in an effort to enforce the provisions in the Bill, including criminal prosecution at the AG’s discretion.
Data Disposal Measure (6-1-713)
The Bill sets down a minimum requirement for a documented data deletion or destruction plan, essential for aligning with PCDP’s five risk categories (preventing unauthorized access, use, modification, disclosure, or destruction). Organizations must implement a written data disposal policy that includes appropriate steps to ensure that personal data are disposed of or otherwise rendered anonymous when no longer needed. Organizations also face responsibility for determining when data is no longer necessary to be maintained, or as specified by the General Data Protection Regulation, ensuring that data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (Article 5.1(e) Storage Limitation).
Organizations should refer to 6-1-716(g)(I)(a) for correct classification of covered personal data in a properly developed data disposal program.
Third-Party Service Providers
Relationships between the organization and third-party service providers must be appropriately defined and controlled to permit the onward transmission of personal data. Per the PCDP, this can be done in one of two ways:
- The organization can require their own security protection measures to protect the shared personal information, or
- The organization can obligate the third-party service organization to implement and maintain appropriate information security procedures.
Regardless of the method selected, organizations and third-party service providers must draft well-developed contracts setting out the parties’ obligations and liabilities while in possession of the in-scope personal data. These contracts will govern the actions taken by a third-party service provider when handling data and the implementation and maintenance of an information security program, and obligate the entity to promptly notify the organization where adverse events occur with the shared data — both in accordance with PCDP’s newly stipulated requirements.
Businesses and government entities impacted by the Colorado Privacy Bill should start charting their response efforts if they are not already in progress. If you haven’t started yet — it’s not too late. Many organizations are underprepared, haven’t heard of these new requirements, or are buried with preparatory work for larger data protection obligations like the GDPR. If that is your situation, you are not alone. However, taking a wait-and-see approach could prove catastrophic to the organization’s reputation and bottom line. And, although legal sanctions or fines may be an added driver for developing an information security and privacy program, maintaining employee loyalty and consumer trust is at least of equal importance. Trust is achieved through continued transparency (i.e., disclosure of a breach) and through advocating for data privacy and protection on behalf of the consumer, the company, and its employees.
Trust becomes one of the most important business relationship factors — and personal data privacy has positioned itself as an integral factor in earning it.