Many businesses regularly update their policies as laws regarding health insurance or wages change. But some are slower to create or update policies dealing with changes to data and privacy laws. Colorado recently passed an important law that affects many Colorado businesses, large and small. The new Protections for Consumer Data Privacy Act, effective this past fall, and changes to existing laws set a high bar for safeguarding consumers’ personal identifying information (PII).
Under Colorado law, PII includes “a social security number; a personal identification number; a password; a passcode; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data;…an employer, student, or military identification number; or a financial transaction device.
Any business, no matter how small, that keeps PII, whether it’s in paper records or electronic data or files, must take all “reasonable” measures or steps to protect the PII they keep. There is no definition of what reasonable means which gives businesses some flexibility in developing procedures that match their resources and context. But it also means there is considerable uncertainty for businesses that may want a concrete answer to the question of whether they’re doing enough under the law.
Colorado law provides more specific guidelines for data breaches.
If a data breach occurs affecting even one consumer, the business must the affected consumer(s) within 30 days. If the breach affects 500 or more consumers, the business almost must report the breach to the attorney general’s office. A breach impacting over 1000 people triggers a requirement to notify the consumer reporting agencies—Equifax, Transunion, and Experian.
A data breach could mean a hacker who gains access to a database of sensitive information. But according to the attorney general’s office, it can also mean:
- Unauthorized access of a computer network through weak passwords;
- Unencrypted consumer information sent through a payment system;
- A briefcase or laptop computer containing client files that is stolen or misplaced; or
- A mobile device or data storage device containing PII that is stolen or misplaced.
Individual consumers are not given the right to sue for breaches under the new law, but they can file complaints with the attorney general’s office, the office that oversees this and other consumer protection laws in Colorado.
Finally, under the new and updated laws, all businesses, even a single-person business like an attorney, and large businesses like banks and hospitals, must create and maintain a written policy explaining how they will dispose of PII. They’re expected to follow the policies they create and to ensure that any contractors assisting with the storage or destruction of PII are also complying with state law.
These are tall orders, particularly for small businesses. But these steps are important for protecting consumers’ sensitive information and reducing the incidence of identity theft and identity-based fraud. Data breaches cost businesses in criminal and civil penalties, legal fees, and lost consumer trust and patronage, so when consumers are protected, businesses stand to profit. Colorado’s tough laws hope to make data breaches, incidents that cost both Colorado consumers and businesses, far less common. For more information on making sure your business is up to date on the new developments, check out Stop Fraud Colorado.
By Alexandra Tracy-Ramirez, HopkinsWay PLLC. | © HopkinsWay PLLC 2018. All rights reserved.