Colorado: 40 data breaches since new consumer privacy law …and counting.

Photo by  Kait Herzog  on  Unsplash

Photo by Kait Herzog on Unsplash

Cybersecurity breaches that expose the personal information of consumers have become a common occurrence. And Colorado’s consumer data protection laws are there to provide comfort that should this happen to residents’ own personal data, the affected company must notify them within 30 days.

The state law came into effect in September 2018. But just five months later, in February 2019, 33 organizations had already reported data breaches, with notifications sent to more than 91,000 Colorado residents, according to the Colorado Attorney General’s office.

Now, that figure may seem low, considering the data breaches that affected 500 million Marriott customers and 50 million Facebook users.

But here’s the thing. Just how many businesses are compliant, or are even aware of the existence of the Colorado law?

Benjamin Hase is a Colorado attorney and information manager for the Employers Council - an organization that specializes in helping businesses with employment law. Hase said, “We’ve had a few” breaches, …We’ve had [members] get hacked. We’ve had people with stolen laptops.”

According to the ‘new’ law, companies are only required to notify the attorney general’s office if a data breach affects more than 500 Colorado residents.

The Colorado Consumer Data Privacy Law, which began as House Bill 1128, was quickly passed in the state legislature in 2018, and is considered one of the strictest privacy laws in the U.S. This is mostly down to the 30-day notification period. (The industry standard is closer to 45 - 60 days).

But many businesses still have not implemented processes and policies to comply with the new law, although companies that are aware of it are willing to comply.

Hase said: “We’ve issued a few of these [notices] but nothing so big that it’s required telling the AG’s office,” He added. “Factor that in with the many organizations that still don’t know about this and who knows how many [breaches] are out there?”

Any organization that holds personally identifiable information (PII) on Colorado residents, irrespective of where the company is located - including outside of the state, is required to comply. The law holds companies accountable for the protection of consumers’ data, managing it appropriately, and erasing such data when it is no longer needed.

The Colorado Consumer Protection Act defines personal data as an individual’s name, plus another identifier, such as a health insurance number, biometric data or a security question that unlocks a user’s account.

For affected businesses, the most challenging aspect of the law is the 30-day notification period, said Esteban Morin, a privacy and data security attorney. Morin said:

“A lot of times, you don’t know the full scope of what information was affected and you have to get cyber forensics to get in there. That can take a lot of time, but you’re on this very rigid clock, … It’s caused us to make some complicated decisions.”

Morin added that some clients might have to notify customers in waves as the breach investigation continues. As more affected accounts are discovered, the notice goes out, even if it’s after the 30-day deadline.

“You might be in danger of violating the 30-day statute, but it’s the best you can do. The 30-day (deadline) is challenging and has caused a lot of stress,” he said. “But at the same time, I understand it does represent personal information and the compromise of that can cause harm to a person’s identity and finances.”

Phil Weiser, the state’s attorney general said that while it’s time consuming to develop a plan to manage consumer data — and figure out what personal data needs to be deleted — it needs to be done.

 (Jesse Paul, The Colorado Sun)

“There are times when businesses, think Target and Equifax, have been complacent and failed to take reasonable measures that expose consumers to harm. Identity theft is rising year to year because it’s so attractive to hackers to steal consumer information and abuse it,” Weiser said. “We need to make sure we’re doing everything we can. I’m going to make it this a top priority for my administration.”

The city of Denver was hit twice in auditor reports over insecure network folders and outdated policies. The city has since addressed most of the auditor’s issues. However, it is still working on classifying all the consumers’ personal data it holds, to determine what needs to be retained or erased, according to Dawn Summers, the city’s first chief data protection officer.

Some businesses have not felt so challenged in complying with the new law. One such company is Gusto, a payroll and benefits company based in Denver and San Francisco. The firm had already complied with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

A spokesman for Gusto said:

“We shrugged our shoulders and said we already comply with HIPAA and HITECH, …Anytime there’s any data privacy or security type of legislation or regulation, we always take a look to make sure we’re in compliance. If there’s anything we’re missing, we’ll take time to figure it out.”

Meanwhile, Phil Weiser is forging ahead with even stronger consumer protections. He recently joined attorneys general from around thirty states, to urge the FTC to update the rules concerning identity theft. Weiser is also working on assembling a group of local business and cybersecurity experts to collaborate on best practices.

“There is, I believe, a real opportunity for us here in Colorado, for us to be at the forefront of developing better cybersecurity, better data privacy and better security practices,” Weiser said.

Most will agree that Colorado’s Consumer Protection laws have encouraged businesses to sharpen up their data management practices and ensure that they are deleting peoples’ personal information when it is no longer needed. Morin added:

“Honestly, pound for pound, there are some complications with the 30-day deadline, …but I think all around, the fact is that it’s sparked additional conversations and has spurred companies to examine the big picture and talk about what risks do we face if there’s a security incident or how much trouble are we in.”

Further reading: AG Colorado,

Does your company have businesses interests in the state of Colorado? Share your comments or concerns below.