On September 1, 2018, the Colorado Protections for Consumer Data Privacy law, HB 18-1128, goes into effect. A bi-partisan group introduced HB 18-1128 in January, and after the usual negotiations, the Legislature passed it unanimously. The new Privacy Law provisions are part of the Colorado Consumer Protection Act (“CCPA”), in a continued effort to protect personal data.
Colorado is getting the message. Data privacy and security are important – and companies need to be held accountable.
What Data Does HB 18-1128 Protect?
The new Colorado legislation specifies exactly what kind of personal data companies need to track regarding Colorado residents. HB 18-1128 defines Personal Identifiable Information (PII) for Colorado residents as a first and last name with any one or more of these other PII:
- Social Security Number
- Student, Military, or Passport ID number
- Driver’s License Number
- Medical Information
- Health Insurance ID number
- Biometric data
- Username or email address with password and/or security questions and answers
- Credit Card number with PIN/ access code/ password
HB 18-1128 applies to Colorado residents, but any company that manages PII for Colorado residents need to be aware of this new legislation.
How Long Do I Have to Report a Data Breach?
HB 18-1128 requires organizations to notify Colorado residents within 30 days of the discovery of a data breach where their PII was involved.
If there are more than 500 Colorado residents involved, companies have to notify the Colorado State Attorney General’s office. The law enables the Attorney General to prosecute violations of the new law.
What Else Does the Bill Say?
HB 18-1128 requires organizations to implement reasonable controls and safeguards to protect PII. If that sounds familiar, the EU GDPR, California, and Massachusetts have also used similar language to articulate that same idea – data security, especially on personal information, is super important.
What Can I Do To Comply With the New Colorado Privacy Law?
First, ask yourself about your company’s overall preparedness level to deal with a cyberattack.
Second, review best practices and recommended data security strategies outlined in resources like NIST and SANS – and determine how your company can apply these security principles.
Third, review your data breach procedures, and make sure you’ve got solutions in place to help identify PII, protect sensitive data, and detect potential security breaches.
The Varonis Data Security platform is the core of an effective data security strategy to protect your company from data breaches. Varonis discovers, identifies, and monitors PII on your core data stores, and detects (and alerts on) any abnormal or unlawful access to that data.
Get a 1:1 demo and learn how to discover where your Colorado related PII lives and how to meet the new privacy laws – get a head start on compliance with HB 18-1128 and protect your data wherever it lives.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
