As cybersecurity concerns grow, the Colorado Privacy Act will soon take hold in the ever-evolving world of data.
The act, which goes into effect July 1, 2023, has multiple facets including giving users the right to opt out of the sale of their personal data or using the data for targeted advertising. It also gives the public the right to know if their data is being collected, while having access to the data being collected and correcting it.
It also requires controllers to conduct data protection assessments for processing activities that involve personal data and are at a heightened risk of harm for consumers. It specifies a violation of the CPA is a deceptive trade practice for the purpose of enforcement, which can only be enforced by a district attorney or attorney general.
Law Week recently caught up with Colorado Attorney General Phil Weiser to learn more about the act and why he thinks it’s needed in Colorado for businesses and residents.
“At the consumer level, the increase in the collection, use and transfer of personal data leaves that data vulnerable to cybersecurity attacks,” Weiser wrote to Law Week. “This increase in data collection also impacts consumer privacy.”
He added oftentimes Colorado residents don’t have enough knowledge or control how businesses use their information and in turn, that data could be used in ways that impact Coloradans’ rights without them even knowing it, while having little recourse.
“At its core, the Colorado Privacy Act benefits Colorado residents by giving consumers power over how their personal data is used and by obligating businesses to safeguard consumer data,” Weiser wrote.
One of the other major tasks for the act involves business. The AG contended the act will place obligations on businesses to protect data they collect and use by implementing security measures, while limiting the collection and use of data and including disclosures about how the data is used.
“The Colorado Privacy act creates accountability both with consumer facing entities, as well as their service providers and partners,” the AG wrote.
Another concern is supply chain attacks. According to an article from Wired, supply chain attacks happen when a “malicious code” or component is put into a piece of hardware or software that is generally trusted.
In December 2020, the Colorado Division of Securities alerted security firms to be aware of the SolarWinds hack. That company provides updating and monitoring software for government agencies and companies according to the DOS.
During the breach, SolarWinds Orion software transmitted malware to many of its clients, the DOS stated. The DOS advised any firm with a known malicious version of the software to contact its primary regulator, while state registered investment advisers and intrastate broker-dealers could contact the DOS.
Weiser explained that supply chain attacks work to take advantage of vulnerabilities that offer services to small businesses.
“So it is more important than ever for even smaller institutions to understand what they can do to secure their systems, and what questions they need to ask their vendors to help avoid attacks,” he wrote.
Big companies aren’t the only ones facing cyber threats. So are smaller communities in Colorado. Just last month Fremont County, which is southwest of Colorado Springs, suffered a major cyber attack impacting county government systems and causing county offices to close. The Colorado Governor’s Office of Information determined it was a BlackCat ransomware attack.
“The BlackCat ransomware variant has recently impacted multiple jurisdictions in Colorado, so it’s imperative that every business and government agency be on high alert and take the necessary steps to protect their systems from being compromised,” said OIT Chief Information Security Officer Ray Yepes in a press release earlier this month.
Future technology is also at the forefront when it comes to privacy and cybersecurity in Colorado including how they work within the framework of artificial intelligence and machine learning.
“We are also focused on the impact of the increase in interconnected devices that collect data through day-to-day activities, such as through the use of smart homes, autonomous vehicles, and systems that rely on biometric information for identification,” Weiser wrote.
He added the increase in the collection and sharing of data also means there could be new and creative ways consumers could be harmed including sharing particularly sensitive data, novel types of fraud or unseen bias in the data.