Next month will be historical for Colorado in the world of cyber security. Earlier this summer Governor John Hickenlooper signed a bill (HB 1128) into law that will require the most restrictive data breach notification timelines in the world. It goes into effect September 1, 2018.
This Protections for Consumer Data Privacy Act requires stringent requirements for the disposal of personal information. Colorado businesses will be required to have a written policy for the destruction or disposal of all personal information once it is no longer needed. This effects paper copies as well as digital copies of the data.
Personal Identifying Information (PII) is your first name or first initial and last name in combination with any of the following: social security number, driver’s license number, identification card number (student, military, passport, etc.), account number (credit or debit card), security codes, access codes or passwords. Personal health information (PHI) is also included in the new law which covers health insurance numbers and biometric data (like thumb prints). Usernames, passwords and security questions and answers that allow access to online accounts are also included.
If a company is storing ANY of the above information, then the written destruction and disposal requirement applies. If this information is accessed or exposed to non-authorized individuals (i.e. a data breach), the new law requires the company to notify all the affected Colorado residents “in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that a security breach occurred.” The State Attorney General must also be notified of the breach if it is more than 500 Colorado residents.
Ask yourself…
Protecting your data is at the root of a Risk Management program for your company and in Colorado, will become something you must have in place with this new law.
Many companies offer IT Security, but especially with the new demand, be sure you are picking the right service provider.
Here are some great resource articles to help guide you:
What is SOC 2 certification and should your managed security provider have it?
5 Reasons You Need a Security Operations Center (SOC)
The Cost of and How to Prevent A Data Security Breach
How to Select a Managed Security Service Provider
Lewan offers expertise to clients in developing Cyber Risk strategies to meet this new law with the following services: