If you are a business in the United States, or anywhere for that matter, its time to start taking notice at where your consumers are located; Because compliance regulations such as those implemented by the European Union, California and Colorado may apply to your organization if you hold the personal information and data of people located in those jurisdictions. So how do you know if your organization is obligated to adhere to these new sets of regulations?
Well for starters, the geographic location of your company is irrelevant. Physical presence within the borders of those states or EU countries is not required. This trend was started by the European Union when it implemented the General Data Protection Regulations (GDPR) and applied it to any company, regardless of origin, that hosts personal information of European Citizens. Both California and Colorado followed suit as well. To be accountable under the California Consumer Privacy Act (CCPA), you must be a for-profit company that meets one of three criteria. For instance, you have gross revenues of over $25 million. For Colorado’s privacy there is only one single criteria:
Do you deal with the personal information of Colorado residents?
That’s it. Whether you are a Fortune 500 company or a one-person shop. Whether you are a for-profit, non-profit or government organization, its all the same. If you collect digital or paper personal identifying information (PII) of Colorado residents, you fall under the jurisdiction of Colorado’s privacy laws. Note that this also includes third-party service providers (TPSPs) and managed service providers (MSPs). The reach of Colorado’s new set of laws is far reaching.
3 Things about The Protections for Consumer Data Privacy Act You Need to Know
The Colorado Protections for Consumer Data Privacy Law, also known as HB 18-1128 went into affect September 1, 2018. Updates to the law have been added since its implementation date. Basically, there are three key aspects of the law that organizations should be aware of.
- All entities that maintain, own or license PII of Colorado residents must take reasonable security measures to protect that information from being compromised. The term “reasonable” denotes what steps and procedures are appropriate according to the size and operations of the entity. The good news is that Colorado does recognize the laws and regulations of other jurisdictions. By following the procedures for the protection of PII established by your state or federal regulator, you are automatically in compliance with Colorado’s laws.
- All applicable entities must implement a written data disposal policy that outlines and requires the appropriate steps necessary to ensure that personal data is properly disposed of or rendered anonymous. This means that both digital media and paper documents must be made unreadable. In addition, organizations must accept responsible for determining when data is no longer necessary to be maintained.
- All organizations that fall under the law’s jurisdiction must notify Colorado residents if and when their PII is compromised no later than 30 days after the date of breach determination. The notification must provide a detailed account of the circumstances such as what information was exposed, as well as the date of the occurrence. Entities are also required to contact the Colorado Attorney General should a breach incident include more than 500 Colorado residents.
So what constitutes a breach?
A breach is defined by Consumer Data Protection Act (CDPA) as the compromise of a person’s first name or first initial and last name plus one of the following PII data types:
- Social Security number
- Employer, student or military ID number
- Passport number
- Driver’s license or government issued ID number
- Medical information
- Biometric data
- Health insurance ID number
In addition, a breach is can include the compromise of a username or email addresses matched with a password or answered security questions. It also includes the compromise of bank-issued numbers such as debit or credit cards matched with security codes, access codes or passwords.
Preparing for Compliance
Colorado is but one of the states that either has, or is in the process of implementing government mandates concerning PII. Because of this, any organization that maintains and processes PII needs to seek the advice of subject manner experts concerning the ever-changing landscape of state government compliance regulations.
With the regulatory emphasis on “reasonable” safeguards for data, organizations are required to assess their risk, their security controls, who they impact, all while keeping their business strong. Partnering with experienced, trusted information security advisors can help you balance your priorities.
Contact us to scope your project and map out your reasonable security strategy.