Colorado has a new consumer data protection law on the books designed to help fight identity theft.
While generally welcome by anyone interested in fighting online crime, not everyone thinks the legislation went as far as it’s been billed.
We’ll come back to that in a bit, but for now, here’s a quick rundown of its key provisions:
Records disposal. The law requires companies that hold onto their customers’ personal identifying information to develop a written policy for the disposal of such records. When such records no longer need to be stored, companies are now expected to destroy the records in a way that ensures the personally identifying information is unreadable.
Security procedures. Companies and their third-party data storage vendors will now have to make sure they have “reasonable” security procedures and practices in place to protect their customers’ personally identifying information from unauthorized access.
Breach notification. Under the new law, companies will have to provide written notice to affected Colorado residents in case of a security breach. They’ll be expected to do so as soon as possible but be given no more than 30 days from the date of the breach and will have to assume the cost of doing so themselves.
Breach reporting to the Attorney General. Businesses will have 30 days after a breach to notify the Colorado Attorney General’s Office.
So, in a nutshell, the law makes it clear that companies that collect customer data need to make sure they dispose of it in a way that keeps the data out of the bad guys’ hands; that steps are taken to secure that data, and that companies alert their customers when said data is hacked.
The bill was initially met with opposition from businesses that argued that some of its requirements were already part of federal law. They also didn’t like a much-shorter notification provision in the original law of only seven days, which was ultimately changed to the aforementioned 30 days.
So, in the end, how big of a deal is this? How much of a change from what by now should be standard operating procedure for companies that retain their customer’s Social Security numbers and other sensitive data?
As it turns out, by at least one data security lawyer’s estimation, the bill “only marginally revises existing Colorado data security statutes.”
David A. Zetoony, an attorney at Bryan Cave Leighton Paisner, notes that Colorado law already requires companies that collect customer data to have a policy in place for the proper disposal of paper documents with that information. The new law now covers the disposal of electronic records, and brings Colorado in line with nearly two dozen other states.
Zetoony also said almost a dozen other states already require companies to implement and maintain reasonable security measures to protect sensitive personal information. Moreover, Colorado adopted data breach notification statutes more than a decade ago, so the changes in the new law are really no more than “tweaks.”
In short, the new law “does not signal a sea-change in compliance in the same way as did the European General Data Protection Regulation, or as might the California Consumer Privacy Protection Act of 2018,” Zetoony noted in a recent blog.
None of this, of course, should suggest anyone disregard the law, because as Colorado AG Cynthia Coffman pointed out after the law went into effect, “The damage caused by identify thieves can be life-altering for their victims.”
Jeff Parent is an Insurance Advisor at CCIG. Reach him at firstname.lastname@example.org or at 720-330-7918.
CCIG is a Denver-area insurance brokerage with the full-service capabilities of a national brokerage. We do more than make sure you have the right policy. We also help you manage your long-term cost of insurance with our risk and claims management expertise and a commitment to service excellence.