Part 1: The Why
This resource has multiple chapters. Use the navigation on the side or below to browse each chapter.
No building is ever truly safe from those that would break in and steal. That said, it still makes sense to take basic precautions like locking your windows or making sure the back door isn’t left open. Similarly, no business is ever truly safe from cyber-attacks, but there are basic precautions that should be taken that are as important as locking the door. Now, imagine a house that is constantly changing, with rooms appearing and disappearing. And sometimes the doors are reconfigured to the point where they barely resemble doors anymore … This is closer to what protecting your business from cyber-attacks looks like: your systems are constantly changing and upgrading (or at least, they should be), and the attackers are changing, maybe even faster. How does one prepare for this kind of amorphous threat?
In this series on cybersecurity, we explore this question and more. In Part One, we’ll look at the “why”: why your business should care about cybersecurity, with a particular focus on providing updates on Colorado’s new consumer data protection law. In Part Two, we’ll look at the “how” by diving into the practical and providing tips on best practices for keeping your systems safe.
Businesses Should Care About Cybersecurity
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), the numbers are grim. They suggest “an information security dystopia, an uneven playing field where the bad guys consistently win out,” after referencing the 53,000 confirmed incidents in only 12 months, with roughly 2,200 breaches by cyber-attackers.1
Cyber-attacks can spell big trouble for businesses. Not only does a cyber-attack disrupt your day-to-day operations, but it can also create liability for the business. One of the biggest concerns is what happens if your customer’s data is compromised. If you have not been complying with laws and best practices on keeping customer data secure, you may find yourself facing potential legal liability. In addition, what you do after a data breach may also make a difference. When customer data, particularly personally identifying information, is inappropriately accessed, it can trigger notice requirements and other obligations on the part of businesses. To this end, Colorado recently updated its consumer data breach notification law. We also note that other laws, such as GDPR, may apply.
Colorado’s New Consumer Data Protection Law2
Just last month, Governor Hickenlooper signed Colorado’s new consumer data protection bill into law. The bill, HB18-1128, creates and clarifies a host of obligations for businesses and other covered entities that collect consumer data. Here are some highlights of the law:
- Who the law covers. The law applies to covered entities, which is defined by statute to mean any business or other organization that maintains, owns, or licenses “personal identifying information” in the course of that person’s business. Personal identifying information includes information like a social security number; a password; driver’s license numbers; or a financial transaction device.
- Protection of PII. If your business maintains, owns, or licenses personal identifying information of a person in Colorado, you must implement and maintain “reasonable security procedures and practices” to keep that information secure. What is considered reasonable will typically depend on the type of information you have, as well as how big your business and its operations are. You also need to make sure any third-party service provider you use to maintain or store that PII itself maintains reasonable security practices and procedures.
- Disposal of PII. Under the law, covered entities must properly dispose of personal identifying information when that information is no longer needed. There are exceptions if destruction is against state or federal law.
- Notification of Security Breach. Covered entities have responsibilities in the event of a breach. Specifically, when it becomes aware that a security breach may have occurred, a covered entity must first conduct a prompt investigation to determine the extent of the breach. Unless the investigation shows that misuse of information has not occurred and is not reasonably likely to occur, the covered entity also has to give notice to the affected Colorado residents. This notice must take place not later than 30 days after the date of determination that a security breach occurred. The notice must include the following information:
- The date, estimated date, or estimated date range of the security breach;
- A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach;
- Information that the resident can use to contact the covered entity to inquire about the security breach;
- The toll-free numbers, addresses, and websites for consumer reporting agencies;
- The toll-free number, address, and website for the Federal Trade Commission; and
- A statement that the resident can obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes.
In addition, if your investigation revealed that it was likely that personal identifying information was misused, then there are additional obligations primarily focused on taking remedial measures to restore security to the system.
The notice law is very specific, and contains exceptions when criminal investigations are involved, so it is important to review the law carefully in the event of a breach.
- Penalties. Fail to comply with the law’s requirements at your own risk. Colorado’s law imposes penalties for failure to comply, including giving the Attorney General power to recover economic damages resulting from a violation.
Conclusion
Cybersecurity is a serious matter. One way to avoid the challenges associated with a data breach is to take steps to prevent one in the first place. In the next installment of this series, we’ll discuss some best practices for shoring up your business’s cybersecurity.
_________________________________________
1 What went wrong? An exploration in trends and data, available at: https://info.verizonenterprise.com/VBM-2018-DBIR-ulp.html.
2 § 6-1-713, C.R.S. 2018, et seq.
Because of the generality of the information on this site, it may not apply to a given place, time, or set of facts. It is not intended to be legal advice, and should not be acted upon without specific legal advice based on particular situations