Logo
Media Centre

Colorado’s Attorney General Issues Data Security Guidance and Remarks on Colorado’s Privacy Act

Ariel Yosefi

13 February 2022

The Colorado Privacy Act (“Act“) which has passed in July 2021, made Colorado the third US state, after California and Virginia, to enact a comprehensive data protection law (see our detailed updated on the Act here). The Act will enter into force on 1 July 2023.

Pursuant to the enactment of the Act, Colorado’s Attorney General (“AG“) has recently published guidelines regarding data security best practices (“the Guidelines“). In addition, the AG has issued remarks regarding data protection in general, and on the Act specifically (“the Remarks“), including on the AG’s plans for the implementation and enforcement of the Act.

Among other obligations, the Act includes a duty of care, which requires data controllers to take “reasonable measures” to secure personal data. In this regard, while implementing the practices outlined in the Guidelines alone may not suffice to fully comply with the Act, the Guidelines may indicate what the AG would consider as “reasonable measures”. The Guidelines outline nine best practices:

  1. Maintaining a personal data inventory: companies should keep records of the categories of data they collect and store. In addition, policies regarding data retention and limitation of non-secure storage of personal data should be implemented;

 

  1. Developing a written information security policy: such policy should include procedures related to common security practices (e.g., access control and encryption). The policy should also follow security standards relevant to the type of personal data that the relevant entity seeks to protect. The company’s employees should be aware of the policy and trained appropriately to ensure compliance;

 

  1. Adopting a written data breach response plan: the plan should detail the steps the company will take in case of a breach. A copy of the plan should be kept in paper form, and companies should conduct employee incident response training;

 

  1. Managing the security of vendors: companies should carefully vet potential vendors, to ensure they implement necessary security practices (including regular audits), subject to appropriate contractual provisions. As mentioned in our update regarding the Act – once in force, it will require contractual obligations between controllers and their vendors;

 

  1. Training employees to prevent and respond to cybersecurity incidents: the Guidelines specifically recommend training employees regarding phishing attempt and other suspicious network activity;

 

  1. Following Colorado’s Department of Law’s ransomware guidance: companies should be equipped to access backup copies if a ransomware attack renders a system inaccessible;

 

  1. Timely notifying victims and the AG’s Office: companies should promptly investigate data breaches, and where relevant notify the victims and the competent regulators within the timeframes as set forth in the applicable laws;

 

  1. Protecting individuals affected by a data breach from identity theft and other harms: this includes timely notifications and appropriate compensation to the victims; and

 

  1. Regularly reviewing and updating security policies: the policies should be updated to reflect any change or increased risk in the data collection and storage practices of the company.

 

In the Remarks, the AG stated its evaluation of reasonable safeguards will focus, inter alia, on the following practices: the existence of data inventory, whether retention and information policies are in place, and the extent to which a company vets its service providers. In addition, according to the Remarks, over the next several months the AG’s office will exercise its rulemaking authority under the Act, and present a set of rules that will implement the Act.

Companies processing personal data of Colorado residents should ensure that their practices are aligned with the Guidelines and the Act, prior to the latter’s entry into force. Feel free to contact us if you have any questions regarding the Guidelines and the Act, and their potential effect on your company’s compliance efforts.

 

Please feel free to contact us if you have any question.

Kind regards,

Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation

 

Related Practice Areas

Related Lawyers

More news

Nebraska is the 17th US State to Adopt Comprehensive Data Protection Legislation
Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
Kentucky is the 15th US State to Adopt Comprehensive Data Protection Legislation
JOIN OUR
Newsletter

    © 2020, All rights reserved, Herzog Law
    Site by Gootte

    The information contained in this web site is provided for informational purposes only and should not be construed as legal advice on any subject matter and should not be relied upon as such. Herzog accepts no responsibility for any consequences whatsoever arising from use of the information contained in this web site. The accessing of information contained in this web site shall under no circumstances be considered as creating an attorney-client relationship between Herzog and any party accessing this web site. Contacting through email any lawyer named in this web site or sending information without prior agreement of Herzog shall not be construed as automatically creating an attorney-client relationship between Herzog and the party sending an email or information. The material contained in this web site has been created by and remains the property of Herzog. No reproduction, transmission, publication or any other form of dissemination shall be permitted unless the prior written consent of Herzog has been obtained. This web site may contain links to other web sites operated by third parties. Herzog does not sponsor, approve or endorse the content of any such web site and is not responsible for the materials appearing in such sites.

    Search by
    Search by +

    Search