In September of 2018, Colorado implemented some of the strictest laws in the U.S. concerning data breaches and the resulting reporting requirements. If you do any kind of business in Colorado, including capturing names and email addresses on your website (also known as Personally Identifying Information, or PII), then these laws affect you. This is similar to the recent European GDPR policy that businesses are scrambling to conform to, but with reporting requirements that are even more strict.
One of my clients recently had their laptop stolen out of their car, and they are now dealing with an avalanche headache in the aftermath of that, especially with these new rules that require notifications.
One thing I find eye-opening here is the number of ways a data breach is defined:
- A hacker electronically accessing and acquiring computerized data;
- Unauthorized access of a computer network through weak passwords;
- Unencrypted consumer information sent through a payment system;
- A briefcase or laptop computer containing client files that is stolen or misplaced; or
- A mobile device or data storage device containing PII that is stolen or misplaced.
What are my responsibilities?
- Businesses and agencies must have a written policy explaining how they will dispose of the personal information they keep and follow through on those procedures.
- If a data breach is detected, entities must alert consumers that their data has been compromised within 30 days. If more than 500 Coloradans are impacted, the entity must alert the attorney general’s office.
- Entities must take “reasonable” steps to protect the personal information they keep.
What can I do to protect myself?
- Never, ever leave your laptop or mobile device in your car, or walk away from it in a public place like a coffee house. If you do, assume it has been stolen already, and consider how you will recover.
- Be really smart about how you use passwords. You can read more about that at The Four Computer Dreads: Passwords.
- Make sure that your computer’s data and backups are secure and malware-free.
- Use an IT professional like MacFinesse.com (Contact Us) to help you ensure that all of your systems are up-to-date, secure, and safe – that is one way of demonstrating your due diligence, and taking “reasonable” steps.
How about further reading and resources?
Colorado’s Attorney General has an entire page outlining everything you need to know: FAQ’s for Businesses
Varonis (a security firm) has a good synopsis on their site.
The Denver Post put out an excellent article with further descriptions.