Colorado could raise the bar on how companies handle residents’ personal data if a bipartisan bill proves successful this session.
State lawmakers introduced a bill Jan. 19 that would build on Colorado’s existing data security and breach notification framework. House Bill 1128, if passed, would place more specific deadlines on data breach notification and give the Colorado Attorney General’s Office more authority to pursue cases against companies following a data breach.
Republican Rep. Cole Wist is co-sponsoring the bill with Democratic Rep. Jeff Bridges. Bridges said the bill was partly a response to last year’s Equifax hack that compromised the personal data of more 140 million people. While that breach brings the cybersecurity issue “into sharp focus,” Bridges said, the bill’s proposals for Colorado are broad and go beyond the Equifax incident.
Wist, a shareholder at Ogletree Deakins who represents employers in labor and employment matters, brings a consumer’s perspective to the data breach issue. His personal data was exposed in the 2015 Blue Cross Blue Shield hack, and he’d only found out about it when the IRS informed him that someone tried to file tax returns using his and his family’s identifying information. The Wists have been on guard against identity theft since then.
“The amount of brain damage and trauma that created for us is still fresh with me,” Wist said.
The bill isn’t a “silver bullet” for consumers, Wist said, as there’s “no absolute guarantee that their information won’t be hacked.” But it can help minimize the damage consumers face when it happens and give the attorney general more authority to go after the hackers, he added.
The bill is currently assigned to the House State, Veterans & Military Affairs Committee, which bears the reputation as that chamber’s “kill committee.” But House Bill 1128 carries bipartisan support.
Under the bill, companies would have to more diligently review what consumer data they have and ensure they aren’t maintaining personal identifying information they don’t need, Bridges said. House Bill 1128 would require businesses to destroy or encrypt documents when they “are no longer needed.”
House Bill 1128 would require any entity that handles Colorado residents’ personal identifying information to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” The bill would also require entities to ensure that their third-party vendors are doing the same.
The reasonableness standard, though not uncommon among data security laws and regulations, can be a tough one for entities and their counsel to nail down.
As introduced, the bill “is completely ambiguous as to what that means,” and companies are going to struggle to figure out whether they’re complying with it, said David Stauss, a partner at Ballard Spahr who heads the Denver office’s privacy and cybersecurity practice group.
Entities might have to look to how reasonableness is defined in other standards, like in Massachusetts’ data security statute, or industry standards like HIPAA’s, and cobble them together. But if the bill passes, “it’s not outside the realm of possibility” that the Attorney General’s Office would issue guidance to clarify what constitutes reasonable security procedures and practices in Colorado, Stauss said.
From a compliance perspective, the most pointed facet of the Colorado cybersecurity bill might be its notification windows. The bill maintains the current statute’s standard that entities notify compromised consumers “in the most expedient time possible and without unreasonable delay,” but it would add a 45-day deadline.
Notably, the 45-day clock begins from the date of the breach, not the date the entity first discovers it. Equifax claimed it first discovered its data breach July 29, but breaches occurred dating back as far as May 13. A 2015 Ponemon Institute report found that financial companies take an average of 98 days to discover they’ve been hacked, and retailers averaged 197 days.
“It is not uncommon in the industry to not find out there’s been a security breach until much later,” Stauss said. “We see that with clients all the time.” Hackers might patiently wait to take action after they’ve successfully breached a company’s networks, he added.
Entities would also have to report the breach — if it might affect more than 500 Colorado residents — to the Colorado Attorney General’s Office within seven days of discovering it.
The attorney general can bring an action to recover damages from an entity, compel it to comply with the bill’s security standards, or both. Under the bill, the attorney general would also have the authority to investigate and prosecute crimes under Colorado’s computer crime statute.
Stauss said that if the bill is enacted, companies have to jump on the notice deadline. “By the time you reach a lawyer like me who knows about this law, you’re going to be in violation of that seven-days [requirement].” It makes it all the more important that companies retain data breach counsel on the front end, he added.
— Doug Chartier