A Prelude to Enforcement: Colorado AG Issues Remarks Opining on What Constitutes Reasonable Security Measures

Last month, on Data Privacy Day, Colorado’s Attorney General Philip Weiser released prepared remarks entitled “The Way Forward on Data Privacy and Data Security” that shed some light on his approach to enforcing Colorado’s existing data security law, and the Colorado Privacy Act (“CPA”) once it comes into effect in 2023.  Those remarks also provided a CPA rulemaking update and offered guidance on how companies can best comply with Colorado’s data security requirements.

This post summarizes those remarks, and highlights for companies that do business in Colorado the steps that—based on AG Weiser’s remarks—they should focus on to avoid falling within the AG’s crosshairs.

A Focus on Data Minimization

A key theme in AG Weiser’s remarks was the symbiotic relationship between effective data privacy and attention to data security, and the role that data minimization plays in both. To that end, AG Weiser highlighted several data minimization practices that businesses should use to protect consumer privacy, and that also pay data security dividends, including “limiting their collection of personal data to only that which is necessary . . .holding such data only as long as needed, and securely disposing of data that is no longer useful.”

In a world where breaches are inevitable, AG Weiser has made clear that unnecessary collection and retention of data will count against a finding that a business’s data security practices are reasonable. For our practical tips on how organizations can implement effective record retention practices to meet this challenge, see our post on that subject from last year.

Rules of the Road—A Framework for Judging the Reasonableness of Businesses’ Security Practices

In what businesses should find to be a particularly useful part of his remarks, AG Weiser, offered several “rules of the road” that he said his office will use in assessing whether companies are acting reasonably to safeguard sensitive information, including as required to meet their duty of care under the CPA:

  • First, whether a company has identified the types of data it collects and has established a system for storing and managing that data, including ensuring regular disposal of data it no longer needs.
  • Second, whether a company has an up-to-date written information security policy and trains its employees on complying with this policy. According to AG Weiser, policies that are “outdated or exist only in theory with no attempt to train employees or comply with the policy” will not cut it.
  • Third, whether company has adopted a written data incident response plan. To that end, AG Weiser explained, “[f]ew valid reasons exist” for companies failing to provide notice to individuals affected by a data breach, and Colorado “has made this easier for companies by setting up an online data breach reporting tool.”
  • Fourth, whether company has appropriately assessed its exposure to cyberattacks targeted at its third-party vendors. In this regard, AG Weiser highlighted the now-infamous HVAC vendor whose compromise by cybercriminals led to the Target data breach in 2014.

Reasonable Security Best Practices (aka, the Controls the AG’s Office Will be Looking for)

AG Weiser concluded his remarks by highlighting several best practices that companies can use to protect against ransomware attacks—a threat to which “companies are vulnerable” and “need to take action,” according to AG Weiser—and that are “also relevant to establishing reasonable data security practices.” The list of practices, though not new to anyone working in this space, is a helpful encapsulation of key practices that can help avoid breaches, and reduce their scale and seriousness when they occur:

  • Adopt multifactor authentication;
  • Use endpoint detection (to look for malicious activity on the network);
  • Encrypt sensitive data (so that data, if stolen, cannot be used);
  • Respond and address any malicious activity detected on the network;
  • Use a skilled, empowered security team (to patch rapidly, and share and incorporate threat information into company defenses);
  • Backup your data, system images, and configurations, regularly test them, and keep the backups offline;
  • Update and patch systems promptly;
  • Test your incident response plan;
  • Check your security team’s work; and
  • Segment your networks.

AG Weiser also noted the recent release by his office of a publication entitled, Data Security Best Practices, which expands on the recommendations above. Although that publication notes that “implementing the practices outlined in [the] document alone may not be sufficient for an entity to be fully compliant with Colorado law,” AG Weiser’s remarks make clear that he views these practices as substantial steps toward any entity being able to demonstrate its compliance with the CPA, and the entity’s use of reasonble data security safeguards.

Organizations that follow these practices will be more prepared to prevent, detect, respond to, and remediate data breaches, as well as demonstrate to the AG the reasonableness of their efforts to secure the personal data of Coloradans, if (or when) the need arises.

Adherence to these best practices will also place organizations in a better position to comply with the regulations issued by the AG’s office to implement the CPA, once they’re issued. According to AG Weiser, his office will post a formal Notice of Proposed Rulemaking by the fall of 2022, which will include a proposed set of model rules. His goal, he explained, is then to be “in a position to adopt final rules around a year from now,” i.e., late January 2023.

*             *             *             *

Organizations that do business in Colorado should heed the remarks of AG Weiser and note the recommended data security best practices. Failing to do so could be used as evidence (at least as suggested in his remarks) of a lack of reasonableness in the organization’s privacy and data security program. If your organization needs assistance implementing or assessing the sufficiency of your data security safeguards, please don’t hesitate to reach out to a member of our team.