Beginning in July of 2023, the Colorado’s Privacy Act will begin enforcement. As part of that regulation, companies will need to maintain ‘reasonable security measures’. Now, with the Data Security Best Practices document released by the Colorado Attorney General, we may get a glimpse into what the AG considers “reasonable security”.
The Colorado AG will prepare for rulemaking later this year, and I wouldn’t be surprised to see most of the below present in the final regulations. I consider this a good opportunity for brands subject to the Colorado Privacy Act (or any brand, really) to get their house in order in advance. It should be noted (and is listed in the PDF above) that doing what is below alone may not ensure full compliance. Consider this a good place to start.
Data Inventory and Governance
It is expected for organizations that collect data to document what data is collected, where it’s stored, who has access to it and have written data retention and destruction policies. The guidance from the AG also says these policies should apply to non-secure storage of personal data, such as personal data sent or received over email.
Assuming you are already in compliance with the California Consumer Protection Act or Europe’s General Data Protection regulation – a lot of this work may already be done. If not, then expect this process to take awhile. Hunting down all the data collected across a business and documenting where it is stored can take a considerable amount of time. You’ll want to prioritize this, as you may be amazed at just how much time this can consume.
Develop a written information security policy
The information security policy should include all relevant documentation related to data minimization, access control, password management and encryption.
The AG goes further here, and also states that you should additionally follow any specialized security standards which may apply to you based on the data collected. Examples of this could be complying with the Payment Card Industry’s Data Security Standard (PCI-DSS), the Health Insurance Portability and Accountability Act (HIPPA) or storing employee data as per ISO/IEC2700. These additional requirements should be reflected in the written security policy, and relevant staff should receive training to ensure compliance.
Develop a written data incident response plan
An incident response plan should detail all the steps that may occur in the event of a data incident (such as a data breach). The AG further recommends that a paper copy of the plan should be kept, incase the computer system becomes unusable.
Notably, in addition to the written plan, the AG encourages incident response training / practice such as through table-top exercises.
Manage the security of vendors
The AG notes that the Colorado Privacy Act will require data security related contractual obligations between entities and vendors who process personal information. This is notable, because it means that said contracts should include language related to requiring proper security measures (which may include auditing the vendor).
In short – in the AG’s view, the brand is responsible in part for the behavior of the vendors they’ve chosen to share data processing capabilities with. This tracks with other recent efforts such as Apple’s App Tracking Transparency making the App responsible for what it’s vendor SDKs do. At this point I consider this part of good system design.
Provide employee security training
Employees should receive regular training on identifying and reporting of questionable network activity (such as phishing emails). Humans are commonly the weak link in a security net, and proper training helps to mitigate a carefully crafted security framework becoming undone because someone clicked a link in a email.
Follow the Department of Law’s ransomware guidance
This speaks to having access to backup copies of files in the event of a ransomware attack. It specifically notes that this may be considered a data breach under Colorado Law, depending on the scenario. Personally speaking, it’s not enough to have backups. You need to also ensure they actually work. The worst time to find out the backups do not work as expected is when you are reliant on them to save you.
It recommends following the Department of Law’s guidance, which can be found here.
Notify Victims in the event of a security breach
The AG’s guidance here states that when personal information has been or is likely to be misused, the organization involved has 30 days to notify Colorado residents. However, if the security breach affects 500 or more Colorado residents, the organization also has to report it to the Department of Law.
A full list of notification requirements is found here
The tool for reporting security breaches to the Department of Law is found here.
Protect people affected by a data breach
In the AG’s view any entity that collects personal information has a duty to compensate and protect individuals affected by a breach. The AG suggests timely notification and free credit monitoring as a good place to start.
Regularly review and update security policies
The AG stresses here that this effort is not a one time exercise. The AG suggests a regular review of collection, storage and use practices as well as any associated risks. It also states the policies should be updated as required due to changing circumstances .