Three Key Requirements Imposed by Colorado’s New Consumer Data Privacy Statute

By on August 29, 2018

Be careful what you ask for (and maintain) about Colorado residents…especially if you don’t have the proper data security policies in place. On September 1, 2018, Colorado’s new privacy law, HB 18-1128, goes into effect, imposing new requirements on any business or government entity that maintains, owns, or licenses personal identifying information about Colorado residents.

The new law imposes three key requirements on businesses subject to the rule:

  1. Reasonable security procedures and practices must be implemented that are proportionate to the nature of the personal identifying information maintained and the nature and size of the business’s operations.
  2. Written policies for the destruction and proper disposal of paper and electronic documents containing personal identifying information must be developed.
  3. Breach notification procedures must be followed, including adhering to a 30-day time period by which notification must be completed.

Business that do not already have written data disposal and security policies should act quickly to ensure that they are compliant with the nuances of the new law.

Colorado’s breach notification requirement imposes a more aggressive requirement for notifying affected residents than requirements under the Health Insurance Portability and Accountability Act (HIPAA) and virtually any other U.S. state. A business must provide written notification with certain information to affected residents in the most expedient time possible and without unreasonable delay, but not later than 30 days after the point in time when there is sufficient evidence to conclude that a security breach has occurred. For breaches believed to have affected 500 residents or more or 1000 residents or more, businesses must notify the Colorado Attorney General and certain consumer reporting agencies, respectively.

Reflective of the shift towards providing consumers with more control over their personal information, the bill is codified under the Colorado Consumer Protection Act (CCPA) and potentially creates a private right of recourse against businesses who misuse a resident’s information. CCPA causes of action oftentimes include assertion of a right to triple damages and reasonable attorneys’ fees. Additionally, the Colorado Attorney General may bring civil, or in some cases criminal, actions for violation of the law.

The frequently unforgiving nature of civil monetary penalties imposed by the HHS Office of Civil Rights (OCR) for HIPAA violations should be cautionary. But, not only is there great risk of exposure for unprepared or noncompliant businesses facing enforcement by state and federal regulatory agencies, now more than ever, individual or class action liability seems to be on the horizon. Last, but not least, businesses never envision themselves as “the ones” making headlines about their data breaches…until it happens…and happens quickly.

What if I already comply with other state or federal privacy laws?

The new law indicates that businesses already regulated by other state or federal law are in compliance if adhering to such regulator’s procedures for the protection and disposal of personal identifying information. If the business operates in interstate, international and/or online commerce involving Colorado residents, however, a thorough review of policies and procedures is recommended to ensure that various applicable laws are reconciled.

Recommendations:

Businesses subject to the privacy law should take the following steps, at a minimum, to ensure that they are prepared to comply.

  1. Entities should know and map the flow of data both internally and outside of their business, whether in paper or electronic format. Inventories of hardware and other electronic portable devices where electronic media is stored should be routinely tracked.
  2. Employees must be routinely trained in policies. Handbooks should be updated and whether to require nondisclosure and confidentiality agreements assessed. Appropriate protocols for the destruction and disposal of personal identifying information must be implemented for current and departing employees.
  3. Third-party service vendors should be identified and communicated with regularly to obtain assurances of compliance. Contractual documents should memorialize vendors’ obligations.
  4. Businesses, including HIPAA covered entities, should rework their data breach policies and ensure that third-party vendor agreements or business associate agreements reflect Colorado’s more stringent breach notification timeline of 30 days.

Conclusion:

There is no uniform mechanism for determining how best to implement the necessary measures. Legal counsel specializing in data privacy and security law are instrumental resources when ensuring that adequate measures are taken to navigate compliance with state and federal laws, especially in today’s rapidly changing environment.

Filed under Consumer Data Privacy Statute, Data Security, Health Insurance Portability and Accountability Act

Trial and Error: VPN Continues to Disappoint

By on August 3, 2018

The last time I wrote I said I would be trying Nord VPN to see how well it worked to allow me to access bank and office email when traveling. Today, I’ll tell you why I gave up using it. This may tell you more about me, however, than about Nord VPN. My primary reason for using an IPN was to be able to access bank sites from hotel rooms. (I’d hate to think the stock market fell and I couldn’t sweat the details that evening!)

I found it too difficult to use such sites after I logged in. Many times, my fix to turn the VPN on to log in then turn it off to download transactions into my financial software. Some banks regard the use of an IPN as a red flag for fraud, particularly if you appear to be logging in from a foreign country.

(I haven’t found that myself).

I looked on the internet to see what I could do and was disheartened by the complexity of it all.

Maybe I am spoiled by the ease of using an iPhone but I was hoping this would work without having to troubleshoot settings.

Bottom line: VPNs do not appear to be a ready and easy way to safely use unprotected Wi-Fi connections. Your cellular phone connection is safe.

(I sure hope so.)

If you can’t use your laptop via cellular, you can use your phone to change your password, use laptop on an unsecure network, then use phone to change password back.

(Or am I missing some other problem?)

Filed under VPN