Next month will be historical for Colorado in the world of cyber security. Earlier this summer Governor John Hickenlooper signed a bill (HB 1128) into law that will require the most restrictive data breach notification timelines in the world. It goes into effect September 1, 2018.
This Protections for Consumer Data Privacy Act requires stringent requirements for the disposal of personal information. Colorado businesses will be required to have a written policy for the destruction or disposal of all personal information once it is no longer needed. This effects paper copies as well as digital copies of the data.
What is “Personal Identifying Information”?
Personal Identifying Information (PII) is your first name or first initial and last name in combination with any of the following: social security number, driver’s license number, identification card number (student, military, passport, etc.), account number (credit or debit card), security codes, access codes or passwords. Personal health information (PHI) is also included in the new law which covers health insurance numbers and biometric data (like thumb prints). Usernames, passwords and security questions and answers that allow access to online accounts are also included.
If a company is storing ANY of the above information, then the written destruction and disposal requirement applies. If this information is accessed or exposed to non-authorized individuals (i.e. a data breach), the new law requires the company to notify all the affected Colorado residents “in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that a security breach occurred.” The State Attorney General must also be notified of the breach if it is more than 500 Colorado residents.
As a business owner, what do I need to be thinking about?
- Do I know how many records my business maintains for my clients containing:
- Personal identifiable information
- Personal Health Information
- Financial information such as credit cards or bank account numbers
- Do I know where this information is stored?
- Do you have the correct access policies in place to protect the information from malicious eyes?
- Do you destroy any of this information once you don’t need it anymore?
Protecting your data is at the root of a Risk Management program for your company and in Colorado, will become something you must have in place with this new law.
Many companies offer IT Security, but especially with the new demand, be sure you are picking the right service provider.
Here are some great resource articles to help guide you:
Lewan offers expertise to clients in developing Cyber Risk strategies to meet this new law with the following services:
- vCISO (virtual Chief Information Security Officer) to assist with building a solid security program for any client.
- Security assessments to help evaluate current risks and needed remediation.
- Remediation utilizing our entire portfolio of engineers (network, servers, cloud, and security).
- Managed security to detect real-time threats and malicious activity on the client’s infrastructure.
- Incident response to assist when a breach does occur and they need to meet the timelines laid out in this new Colorado law.