Rarely does a week go by without hearing of another cybersecurity breach that exposed piles of private consumer data to strangers. At least Coloradans can take comfort that should this happen to their own personal data, the attacked company must notify them within 30 days.
The state law, which went into effect Sept. 1, has as of Feb. 5 resulted in 33 organizations reporting consumer data breaches and notifications sent to 91,235 Coloradans, according to the Colorado Attorney General’s office.
That may seem low, considering that also since September, data breaches affected 500 million Marriott International customers, 50 million Facebook users and others. But it’s unknown how many companies are in compliance with Colorado law — or even know about it.
“We’ve had a few” breaches, said Benjamin Hase, a Colorado attorney and information manager for the Employers Council, which helps companies with employment law. “We’ve had (members) get hacked. We’ve had people with stolen laptops.”
But companies are only required to tell the attorney general’s office if it impacts more than 500 Coloradans. The law, which began as House Bill 1128, passed quickly in the state legislature last year and is considered one of the strictest in the nation because of the 30-day notification period (Florida’s is also 30 days, but the industry standard is more like 45 to 60 days). Many companies probably still aren’t familiar with the new law, though those who learn about it want to comply, Hase said.
MORE: Colorado has one of nation’s strictest consumer data protection laws. Are you ready?
“We’ve issued a few of these (notices) but nothing so big that it’s required telling the AG’s office,” Hase said. “Factor that in with the many organizations that still don’t know about this and who knows how many (breaches) are out there?”
Companies that store private data of any citizen in Colorado are included, even if the company is located outside of the state. The law also requires companies to protect consumer data, manage it and delete it when it’s no longer needed. It’s part of the Consumer Protection Act, which defines personal data as a name plus another identifier, such as a health insurance number, biometric data or a security question that unlocks a user’s account.
The 30-day notification system has been the tough part for many businesses, said Esteban Morin, an attorney specializing in privacy and data security for the Denver office of Brownstein Hyatt Farber Schreck.
“A lot of times, you don’t know the full scope of what information was affected and you have to get cyber forensics to get in there. That can take a lot of time, but you’re on this very rigid clock,” Morin said. “It’s caused us to make some complicated decisions.”
Morin said some clients might have to notify customers in waves as the breach investigation continues. As more affected accounts are discovered, the notice goes out, even if it’s after the 30-day deadline.
“You might be in danger of violating the 30-day statute, but it’s the best you can do. The 30-day (deadline) is challenging and has caused a lot of stress,” he said. “But at the same time, I understand it does represent personal information and the compromise of that can cause harm to a person’s identity and finances.”
While it’s time consuming to develop a plan to manage consumer data — and figure out what personal data needs to be deleted — it needs to be done, said Phil Weiser, the state’s attorney general.
“There are times when businesses, think Target and Equifax, have been complacent and failed to take reasonable measures that expose consumers to harm. Identity theft is rising year to year because it’s so attractive to hackers to steal consumer information and abuse it,” Weiser said. “We need to make sure we’re doing everything we can. I’m going to make it this a top priority for my administration.”
Weiser declined to share which organizations reported data breaches since cases are under investigation. But his office said common methods included phishing emails with malicious links or point-of-sale systems and online shopping carts infected with malware. Types of sites ranged from travel companies and banks to retailers. Another common target? Rewards-program databases.
The city of Denver, which was dinged twice in city auditor reports for some insecure network folders and outdated policies, has addressed most of the auditor’s issues. One piece it’s still working on is classifying all the stored private consumer data to figure out what needs to be kept or deleted, said Dawn Summers, the city’s first chief data protection officer. The city also adjusted its notification period to 30 days.
“I like to use the analogy of a house. (Colorado law) says your house is information security and you have to lock it. If someone breaks in, you have to fix it. And you have to take out the trash,” said Summers, adding that she expects the city’s more robust data privacy process will take three to five years to implement. “…Privacy and data protection is a little different from information security. It’s changing how our work culture thinks about how we’re using people’s information.”
Some businesses found it easy to comply with the new law. Gusto, a payroll and benefits company with co-headquarters in Denver and San Francisco, already met regulations like HIPAA, the Health Insurance Portability and Accountability Act; and HITECH, the Health Information Technology for Economic and Clinical Health Act.
“We shrugged our shoulders and said we already comply with HIPAA and HITECH,” said Rick Chen, a spokesman with Gusto. “Anytime there’s any data privacy or security type of legislation or regulation, we always take a look to make sure we’re in compliance. If there’s anything we’re missing, we’ll take time to figure it out.”
Gusto tweaked its policy to notify Coloradans within 30 days. But it expects more changes are coming with future laws.
The California Consumer Privacy Act goes into effect in January 2020 and would make it easier for consumers to find out what personal information has been collected and request it be deleted. And a federal bill proposed by U.S. Sen. Ron Wyden, D-Oregon, would allow Americans to find out who is buying their personal data. Chen said companies like Gusto realize they must stay on top of new laws.
“As a general rule, we tool processes toward the most strict requirement to fully comply with all relevant laws and regulations,” Chen said.
The attorney general’s office has a FAQ page online to guide businesses that need to comply. The Employers Council also provides advice on creating policies.
Weiser is also moving ahead to adopt stronger consumer protections. On Monday, he joined attorneys general from about 30 states to urge the Federal Trade Commission to update identity theft rules to clamp down on thieves using available data to, for example, get a credit card in someone else’s name. Weiser is also working on getting a group of local business and cybersecurity leaders to collaborate on best practices.
“There is, I believe, a real opportunity for us here in Colorado, for us to be at the forefront of developing better cybersecurity, better data privacy and better security practices,” Weiser said.
If anything, Colorado’s law has helped companies reevaluate data management policies, find risks and make sure they’re deleting personal user data when it’s no longer needed, Morin said.
“Honestly, pound for pound, there are some complications with the 30-day deadline,” Morin said, “but I think all around, the fact is that it’s sparked additional conversations and has spurred companies to examine the big picture and talk about what risks do we face if there’s a security incident or how much trouble are we in.”
More from The Colorado Sun