2018 brought along a new set of requirements for Colorado small businesses, in the form of House Bill 18-1128. Taking effect in September 2018, this bill fleshes out data privacy and breach notification rules for “covered entities”.
Do these new rules apply to you? The bill defines a “covered entity” as any individual, legal or commercial entity (in plain English: individual or business) that handles documentation containing personally identifying information (PI), whether paper or electronic, as part of business operations. In turn, PI is considered information on Colorado residents that could be used to uniquely identify them: names and social security, passport or driver’s license numbers; passwords and logins; medical and biometric information, etc. Financial data (credit card numbers, account numbers, etc.) is also considered to be PII.
If your business collects, stores, and uses any of the PI defined above, then HB 18-1128 applies to you most likely. Read on to for a quick summary of the security measures and practices you need to implement in order to remain compliant with the law.
1. Develop a written policy for destroying and disposing of documentation, whether paper or electronic, containing PI, as soon as it is no longer needed. Exceptions apply for information state or federal law requires be kept for a certain period of time.
2. Implement and maintain reasonable security procedures. This constitutes section 6/1/713.5 of the bill and is relatively open-ended. After all, what works for one system could introduce security holes in a different system. The bill emphasizes protecting PI from unauthorized access: if you have no idea how your business can guarantee this, it’s time to talk to a data security professional.
3. Investigate and disclose, within 30 days, data breaches that may have compromised PI. If unauthorized acquisition of PI happens on your watch, you’re now required to report it to affected individuals with a Notice Letter. Should the breach affect over 500 Coloradans, the State’s Attorney General must also be sent notification.
The computer scientists of XorFox take data security very seriously. Contact us for a free consultation if you need to discuss any of your digital security needs.