Colorado AG Provides Clarity on Appropriate Security Practices

Colorado AG Provides Clarity on Appropriate Security Practices

Blog WilmerHale Privacy and Cybersecurity Law

The Colorado AG recently provided guidance on data security best practices. Companies doing business in Colorado, especially those subject to the Colorado Privacy Act, should be paying attention to what is required under Colorado law.

On Data Privacy Day (January 28) the Colorado Attorney General (“the AG”), Phillip Weiser, published prepared remarks on data privacy and data security.  The remarks served to highlight the upcoming implementation of the Colorado Privacy Act, noting that by the fall, a formal Notice of Proposed Rulemaking would be posted.  The AG also published guidance on common best practices relating to data security (“Data Security Best Practices”).

Companies following this guidance will be better positioned to limit, or respond to, data breaches. They may also be in a better position to comply with the Colorado Privacy Act, as the law outlines a “Duty of Care” for controllers, which requires them to take reasonable measures to secure personal data. This guidance may indicate what the AG considers to be “reasonable measures.” And, as with any form of regulator guidance on common issues, these “best practices” also should be evaluated by companies operating anywhere in the country to evaluate whether their information security programs incorporate these ideas, as regulators often borrow from each other on determining what is reasonable and appropriate under state and federal laws.

The guidance lays out nine best practices:

1. Data Inventory and Storage System: Companies should identify and track the types of data they collect and create a system for storing and managing that data.  When inventorying the data collected, an entity should track the source of the data, the purpose for which the data is being used, and the employees that can access this information. The AG also recommends various policies to manage data, including written data retention and destruction policies to ensure that PII is disposed of properly, and procedures that delineate the treatment of personal data—such as the length of time the data is stored and how to manage non-secure storage of this data.

2. Information Security Policy:  Companies should have a written information security policy, containing common security practices like data minimization and encryption.  An effective information security policy also incorporates standards that are applicable to the type of information being protected.  The company should also make the policy accessible and train employees with compliance.

3. Data Incident Response Plan: Companies should implement a written data incident response plan—which outlines what steps to take if a data incident occurs—and keep a copy of the policy in paper format.  Just like with the information security policy, the company should train employees on incident response.  And the entity should practice its plan through table-top exercises.

4. Vendor Security:  The interconnected nature of networks makes it important for companies to vet their potential vendors to ensure that necessary security practices are implemented.  In vendor contracts, entities should also require that appropriate security measures be used. 

5. Employee Training:  Training employees on cybersecurity is particularly important, and the AG specifically recommends that entities train employees to be vigilant about phishing emails and other suspicious network activity. 

6. Department of Law Ransomware Guidance:  The AG recommends that entities follow the Department of Law’s guidance on ransomware. Companies should also ensure that they can access backups of their files in the event of a ransomware attack.

7. Post-Breach Notification: Companies should conduct investigations if they experience a data security breach. If personal information has been, or likely has been, misused, Colorado law requires that the entity notify the affected state residents within thirty days.  If the breach is large—affecting 500 or more Coloradans—the company also needs to notify the Department of Law in the thirty-day period.

8. Protection of Individuals Affected by Breach: If a company collects personal information, it takes on a duty to compensate and protect those affected by a breach.  As a best practice, the AG recommends notifying victims in a timely way and providing them with access to free credit monitoring services.

9. Security Policy Maintenance: Companies should also review and update their security policies regularly, especially to reflect internal changes or increased risks to maintaining personal information.


More from this series


Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.