• Email
  • Facebook
  • LinkedIn
  • Twitter
  • Vimeo
Contact Us

Manufacturer's Edge

Transforming Colorado One Company at a Time

  • COVID-19 Resources
    • Main COVID page
    • Product & Services Directory
    • Critical Supply List – Manufacturing Specs
    • Cybersecurity
    • Health and Safety in the Workplace
    • Loans & Financial Resources
    • National/International Resources
    • State Resources
    • Supply Chain
  • About Us
    • Staff and Locations
    • Board of Directors
    • Partners
    • Manufacturing Minutes Newsletter
    • Videos
    • Webinars
    • Success Stories
    • Congressional District Fact Sheets
  • Services
    • Cybersecurity
    • Continuous Improvement
    • Technology Acceleration
    • Supplier Development
    • Sustainable Practices
    • Workforce Development
    • Online Programs
  • Events
  • Small Manufacturer’s AdvantEDGE
  • Manufacturers Connect
You are here: Home / Cybersecurity / BACK TO SCHOOL: COLORADO PRIVACY LAW ABCs

BACK TO SCHOOL: COLORADO PRIVACY LAW ABCs

Colorado’s new privacy legislation—the toughest in the nation—goes into effect September 1, 2018. The law is remarkable for both its broad definition of personally identifying information (PII), whether in hard copy and electronic form, and its broad application to any size business and government agency. Colorado’s attorney general participated in crafting the bill and is expected to enforce it closely. It’s time to learn these ABCs:

A is for Accountability
Any Colorado-based company that collects PII on Colorado citizens is a “covered entity” under the law’s provisions. Responsibility cannot be transferred to a third party. In fact, PII shared with another entity (e.g., cloud services provider) must be contractually protected by the same standard of care: written security measures and PII disposal policy. PII is defined as a Colorado resident’s first name or first initial and last name combined with one or more of the following in cleartext (i.e., humanly readable or usable):

  • Government- or para-government issued identifiers (social security number; student, military, or passport identification number; driver’s license number)
  • Biological or health-related identifiers (diagnostic/treatment information from a medical professional, health insurance identification number, biometric data)
  • Digital identifiers (username or e-mail address, in combination with a password or security questions and answers permitting access to an online account; account number or credit/debit card number in combination with any required security code, access code or password permitting access to that account)
  • Note: PII does not include publicly, lawfully available information from government records or widely distributed media (information that can be acquired from Dark Web sites is not “lawfully available”).

B is for Best Practices

  • Written and enforced policy on PII retention, destruction, and disposal
    • Encrypt or lock securely PII (and, ideally, other sensitive data at rest)
    • Specific contractual compliance from third-party providers
  • Documented and maintained “reasonable” security measures
    • System security plan
    • Robust access control practices (e.g., strong passwords, least privilege)
    • Incident detection, response, and recovery plan
    • Employee training
  • Notification to affected Colorado resident within 30 days of data breach verification
  • Note: PII collected in good faith by an employee or agent of a covered entity for the lawful operation of the business and not subject to unauthorized disclosure is not a “security breach.”

C is for Consequences

  • PII breach notification must include the following elements:
    • Date, estimated date, or estimated date range of the security breach
    • Description of the PII acquired or believed to have been acquired
    • Covered entity contact information
    • Toll-free numbers, addresses, and websites of consumer reporting agencies
    • Statement that the resident can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes
    • Direct the affected Colorado resident(s) to change account access information
    • Notify the Attorney General within 30 days if 500 or more Colorado residents are believed affected
  • Colorado’s Attorney General can sue for noncompliance and collect damages for citizens.
  • Criminal charges are possible.

This law describes PII and notifications in a way that is closer to the European Union’s General Data Protection Regulation (GDPR) but does not include provisions like the “right to be forgotten” nor the right to review and correct information. The underlying message, however, is that protection of one’s PII is a reasonable expectation—at least for Colorado residents. Time to learn and practice your ABCs!

Footnotes
Source

Articles consulted for background information in writing this piece may be found at Workplace Privacy Report
Dission.com

Consulting

Featured Consulting

Company transformations

Training

Training

Results-driven training

Events

Events

Browse upcoming events

Success Story

Success Story
Improvements and Expansion Helps Propel the “Fairy Godmother of Fire” to New Heights

Tim and Voni Flaherty met while attending law school in Chicago and started a grand adventure that has seen them explore a variety of career opportunities. Having gone from law to banking to general management at Caterpillar, it was while living in San Antonio a few years ago that

Increased Sales
$5M
Retained Sales
$2M
Jobs Saved
16
Jobs Created
27
Read Full Story
Manufacturer's Edge
Manufacturer's Edge
2650 E 40th Ave
Denver, Colorado 80205
info@manufacturersedge.com

Click here to find our staff & locations
Sign Up for Email Updates
For Email Marketing you can trust.

© 2021 · Manufacturer's Edge All Rights Reserved

Phone: 303.592.4087

  • COVID-19 Resources
    ▼
    • Main COVID page
    • Product & Services Directory
    • Critical Supply List – Manufacturing Specs
    • Cybersecurity
    • Health and Safety in the Workplace
    • Loans & Financial Resources
    • National/International Resources
    • State Resources
    • Supply Chain
  • About Us
    ▼
    • Staff and Locations
    • Board of Directors
    • Partners
    • Manufacturing Minutes Newsletter
    • Videos
    • Webinars
    • Success Stories
    • Congressional District Fact Sheets
  • Services
    ▼
    • Cybersecurity
    • Continuous Improvement
    • Technology Acceleration
    • Supplier Development
    • Sustainable Practices
    • Workforce Development
    • Online Programs
  • Events
  • Small Manufacturer’s AdvantEDGE
  • Manufacturers Connect