Colorado’s Attorney General Issues Data Security Guidance and Remarks on Colorado’s Privacy Act
13 February 2022
The Colorado Privacy Act (“Act“) which has passed in July 2021, made Colorado the third US state, after California and Virginia, to enact a comprehensive data protection law (see our detailed updated on the Act here). The Act will enter into force on 1 July 2023.
Pursuant to the enactment of the Act, Colorado’s Attorney General (“AG“) has recently published guidelines regarding data security best practices (“the Guidelines“). In addition, the AG has issued remarks regarding data protection in general, and on the Act specifically (“the Remarks“), including on the AG’s plans for the implementation and enforcement of the Act.
Among other obligations, the Act includes a duty of care, which requires data controllers to take “reasonable measures” to secure personal data. In this regard, while implementing the practices outlined in the Guidelines alone may not suffice to fully comply with the Act, the Guidelines may indicate what the AG would consider as “reasonable measures”. The Guidelines outline nine best practices:
- Maintaining a personal data inventory: companies should keep records of the categories of data they collect and store. In addition, policies regarding data retention and limitation of non-secure storage of personal data should be implemented;
- Developing a written information security policy: such policy should include procedures related to common security practices (e.g., access control and encryption). The policy should also follow security standards relevant to the type of personal data that the relevant entity seeks to protect. The company’s employees should be aware of the policy and trained appropriately to ensure compliance;
- Adopting a written data breach response plan: the plan should detail the steps the company will take in case of a breach. A copy of the plan should be kept in paper form, and companies should conduct employee incident response training;
- Managing the security of vendors: companies should carefully vet potential vendors, to ensure they implement necessary security practices (including regular audits), subject to appropriate contractual provisions. As mentioned in our update regarding the Act – once in force, it will require contractual obligations between controllers and their vendors;
- Training employees to prevent and respond to cybersecurity incidents: the Guidelines specifically recommend training employees regarding phishing attempt and other suspicious network activity;
- Following Colorado’s Department of Law’s ransomware guidance: companies should be equipped to access backup copies if a ransomware attack renders a system inaccessible;
- Timely notifying victims and the AG’s Office: companies should promptly investigate data breaches, and where relevant notify the victims and the competent regulators within the timeframes as set forth in the applicable laws;
- Protecting individuals affected by a data breach from identity theft and other harms: this includes timely notifications and appropriate compensation to the victims; and
- Regularly reviewing and updating security policies: the policies should be updated to reflect any change or increased risk in the data collection and storage practices of the company.
In the Remarks, the AG stated its evaluation of reasonable safeguards will focus, inter alia, on the following practices: the existence of data inventory, whether retention and information policies are in place, and the extent to which a company vets its service providers. In addition, according to the Remarks, over the next several months the AG’s office will exercise its rulemaking authority under the Act, and present a set of rules that will implement the Act.
Companies processing personal data of Colorado residents should ensure that their practices are aligned with the Guidelines and the Act, prior to the latter’s entry into force. Feel free to contact us if you have any questions regarding the Guidelines and the Act, and their potential effect on your company’s compliance efforts.
Please feel free to contact us if you have any question.
Kind regards,
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation