Colorado Legislators Propose Expansion of Cybersecurity Regulations


Newly Proposed Regulations

In January of 2018 bi-partisan legislation was proposed to expand Colorado’s current cybersecurity laws. The bill, Protection for Consumer Data Privacy (HB18-1128), would broaden the scope for which companies collecting and storing data must secure personally identifiable information (PII) and report a data breach. If passed, the bill will go into effect September 1, 2018. Additionally, the bill adds parameters to the definition of PII.

Expansion of PII Definition

The new definition, according to the proposed bill would encompass the following:

  • Social Security Numbers
  • Personal Identification Numbers
  • Passwords
  • Pass codes
  • Official state or government issued drivers license or ID card
  • Government Passport Number
  • Biometric Data
  • Employer, Student, or Military Identification Number
  • A Financial Transaction Device

Reasonable Security Procedures and Practices Will Be Required

Although vague, the bill requires companies to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business operations. Reasonable security procedures and practices could best be mapped to notable industry best practices, such as the CIS top 20 controls. The National Institute of Standards and Technology also publishes security guidelines that would fall under such a “reasonable” category.

The legislation expands the requirement when PII is shared across state lines. That means, if your business manages customer PII from Colorado, your company falls within the scope of this legislation. The bill calls on these companies to protect the PII from unauthorized access, use, modification, disclosure, or destruction.

Additional requirements outlined in the bill are as follows

  • Companies must develop policies and procedures for the destruction of hard and electronic documents containing PII
  • Companies must report a data breach within 45 days
  • Develop a reasonable set of policies and procedures for securing PII
  • Conduct a good faith and prompt investigation to determine the likelihood that PII has or will be misused
  • Notify Colorado residents that misuse has not occurred or not reasonably likely to occur

Violations May Result In Criminal Prosecution

Violations of the bill may result in an investigation from the state Attorney General as well as potential prosecution of related criminal violations.

Rigid Bits Can Help

Rigid Bits specializes in helping customers secure their data, including PII. Our solutions meet the reasonable requirements that businesses must follow according to this proposed bill. If you have questions or would like additional information on how Rigid Bits can help secure your systems, contact us today.