As two consumer data privacy bills wind their way through the statehouse, a law passed three years ago is giving Colorado a sense of what happens when private companies, government entities or nonprofit organizations get hacked and consumer data is exposed.
Nearly 200 companies or organizations have reported data breaches and notified 1.6 million Colorado residents since January 2020, according to the Colorado Attorney General’s Office. Data includes health records, passwords, birth dates, Social Security numbers and more.
The state’s data-security law, passed in 2018, required companies to create a policy on how they store consumer data — and destroy it when no longer needed. The law didn’t give consumers control of their data that the more comprehensive privacy laws adopted in Europe and California did and two proposed bills in the state legislature seek to. But it was considered a first step in letting consumers know if their data had been exposed in a breach.
Documenting data-security threats in Colorado, however, is still all over the place. Many companies reporting data breaches to the Colorado AG’s office were based out of state and filed similar reports elsewhere to comply with local laws — even if there was just one victim.
Few companies shared an overall number of breached accounts. GoDaddy reported just eight affected accounts to the Colorado AG. The company had earlier disclosed to journalists that accounts of 28,000 web-hosting customers were compromised in October 2019.
Other filings helped add to the bigger picture of a global breach. Hong Kong-based Zoetop Business Co. LTD, which operates online shopping site ROMWE, notified 110,494 Coloradans about a breach linked to customer usernames and passwords found on the dark web last year that may have been part of a 2018 computer hack. (Zoetop is also parent to online retailer Shein, which experienced a cyberattack in 2018 that exposed data of 6.42 million customers.)
Zoetop never said how many consumers were impacted last year. But more was learned as it filed breach notices in other states. It told the Texas AG the breach affected 636,608 Texans. In New Hampshire, there were 29,914 victims. And in Delaware, it was 24,620.
Other companies didn’t show up in Colorado AG breach reports at all but did elsewhere, including SCL Health Colorado, which told the U.S. Department of Health and Human Services that 343,493 current and past patients’ personal data may have been exposed to unauthorized users in July. Some companies tracked by the Identity Theft Resource Center also didn’t show up in the AG’s list, including ParkMobile, a mobile app to pay for parking in Denver and elsewhere. It told customers last month that “a cybersecurity incident” may have exposed customer emails and license plates.
When a company’s data is breached, that could mean anything from an employee’s computer was stolen to a ransomware attack that hijacked computer systems and stole private data. Thieves resell the data on the dark web to buyers who use it for nefarious purposes, such as pretending to be someone else to file for unemployment benefits.
“It’s great that the data breach laws are in effect (in Colorado, but) it’s actually one of a patchwork of data breach laws in the U.S.,” said Amie Stepanovich, executive director of Silicon Flatirons who tracks privacy laws at the University of Colorado School of Law. “The states have really had to pick up the ball … to make sure that people get notified when their information is compromised and can take action.”
Various state laws make the process confusing for consumers and tedious for businesses trying to comply in different states. It also can prevent the public from understanding the magnitude of the breach.
San Francisco-based dating site Zoosk notified the California AG’s office that data of 560,138 California customers were exposed after an unauthorized third party gained access to its database on Jan. 12, 2020. The company also told Colorado’s AG that 95,009 Colorado residents were impacted. But Zoosk’s breach reportedly affected 30 million user records and there is now a class-action lawsuit filed by users.
Proposed privacy and data security laws need to take these nuances into consideration and consider what else is important to consumers, Stepanovich said. Because even the comprehensive data privacy laws don’t protect all personal data, like photos.
“If my photos are leaked and my personal moments are made public, there is no real process that we’ve developed (to help) somebody recover,” she said. “… Like, if you get five years of free credit card monitoring, are we going to also have to offer five years of free therapy?”
New consumer-privacy bills proposed
Colorado’s data-security law was meant to force companies to be more careful with consumer information. But enforcement is up to the state attorney general, which has a limited staff and has shared only one investigation publicly.
In 2020, the AG’s office found Kozleski CPAs in Woodland Park had experienced multiple data security incidents because of a ransomware attack. The firm paid $15,000 to the state to settle the case. The AGs office does not comment on investigations, said AG spokesman Lawrence Pacheco.
“The law and our efforts have had a meaningful impact on consumer protection and providing greater data security,” Pacheco said. “Resources in our consumer protection division are limited. If we had greater resources we could do more, both in terms of education and enforcement. We have undertaken investigations and enforcement efforts when we believe that there has been non-compliance with the law that affects Colorado residents, against companies based inside and out of Colorado.”
Two more laws could give consumers in Colorado more control of their data.
House Bill 1111 set out to require all state government agencies to ask Colorado residents every 90 days to consent to their personal information being stored with the agency and allow people to request disposal of the data. Delays were allowed for law enforcement if disposing of the data impacted a criminal investigation. But after the cost to implement the law came to $2.8 billion, bill sponsor Rep. Hugh McKean amended it to create an advisory group to study where state agencies store personal data.
“We found out through the fiscal note process just how big of a problem we have,” said McKean, a Loveland Republican who worried about how COVID-19 contract tracing data was being accessed and stored last year. “We found out that they don’t house that data they were going to use for contact tracing. But they do house a tremendous amount of other data.”
Meanwhile, Senate Bill 190 would give residents the right to find out what personal data companies have stored and ask that it be deleted. Critics of the privacy bill called it more “business friendly” because it exempts some companies and requires people to opt out. It also leaves enforcement to the AG’s office and prevents consumers from taking their own action with a lawsuit.
McKean considers the two bills complementary because both want to give citizens more control of data and force government agencies and companies to rethink what consumer data they truly need.
“We’re all very concerned about the amount of data that gets collected and then what has happened without anyone really watchdogging that information and that use of it,” McKean said. “My dad used to call it the hairball. As the hairball grows and grows, eventually you have to cough it up, and this is hopefully that time when we’re all intent on coughing it up and making sure that whatever we do, we go in with open eyes to what policies we establish ongoing for how we treat data, how we manage data (and) respect the privacy of Colorado citizens.”
Senate Bill 190 passed on a preliminary vote in the Senate Tuesday. The measure still requires a final vote before moving to the House.
Opt in vs. opt out
America’s approach to privacy is different from Europe’s, which passed the General Data Protection Regulation in 2016 and relies on citizens to opt in on data collection and the “right to be forgotten.” That’s unlikely to happen in Colorado or the United States, said James E. Lee, chief operating officer of the Identity Theft Resource Center, which tracks data breaches and provides tools for consumers.
“Most of the time in the U.S., there was no option. You did business with me or you didn’t. That was your option,” Lee said. “We’re moving more toward opt out being a standard part of privacy as opposed to an optional part. But I don’t see the U.S. going fully opt in. If we do, it will be a long time in the future.”
Only California and Virginia have passed comprehensive consumer privacy laws. Nearly half of the 27 bills this year have already petered out, according to the International Association of Privacy Professionals. Fourteen proposals from 10 states are still being considered.
While even lawmakers admit they don’t want to be tracked, they’re trying to balance the demands of the business community that needs location data to deliver groceries, or Social Security numbers to provide credit, or an email to provide a newsletter. Some of the proposed laws are imperfect in the eyes of privacy purists. But other consumer privacy groups support starting somewhere and letting it evolve over time as people learn what privacy actually means.
“Generally speaking, we believe consumers need better protection. And so no law is unacceptable to us — no, as in the absence,” Lee said. “Because of the impacts of cyber attacks and data misuse on consumers, the longer we go without giving consumers more transparency, the more at risk they are. We’re very much in favor of getting things passed.”
While policies continue to be debated, some private companies are offering their own solutions.
Apple’s latest iOS 14.5 operating system adds App Tracking Transparency, which asks users if they will let an app track them across apps and the web.
Three weeks after the feature launched, only 6% of mobile users agreed to be tracked, according to Flurry Analytics, leading to headlines that more than 90% of U.S. users opt out of tracking.
“Given a choice, there are a lot of people who are involved in transactions where data is collected, is used, is aggregated and then is bundled up and sold,” Lee said. “And there’s a lot of people that don’t want that to happen.”