Anytime a new statute or regulation comes along some service providers can’t help but jump on the fearmongering bandwagon.
The Bryan Cave Leighton Paisner Data Privacy and Security Team has always resisted that temptation. Indeed, we try to go in the opposite direction. When we see fearmongering or misinformation about a statute or provision we try to go out of our way to dispel myths. Given the prevalence of these types of articles this has, unfortunately, turned into somewhat of a series that we refer to as “Stop the Hype!”
The latest area of hyperbole surrounds Colorado’s recent revisions to its data security statutes through the enactment of House Bill 18-1228 on May 29, 2018. Law firms have described the bill as a “sweeping new Colorado data privacy law,” a “far reaching new privacy and cybersecurity law,” and a new “stringent data breach notification.” One publication went so far as to refer to it as the “strictest law in the nation regarding how businesses and state government[s] . . . prepare for and handle security breaches.”
The Colorado bill is none of these. Putting aside the fact that the bill has nothing to do with data privacy at all (i.e., the collection, use, and sharing of information) the bill only marginally revises existing Colorado data security statutes. It arguably imposes no new obligations on national or multi-national companies. At the risk of going into the realm of hyperbole myself, from a data security lawyers perspective the bill is relatively uninteresting. The following provides a summary of the changes and puts them in context.
- Data Destruction. Colorado law already required that companies that collected sensitive personal information had to develop a policy “for the destruction or proper disposal of paper documents” containing that information. House Bill 18-1228 broadens the requirement by making it include the proper disposal of electronic records that contain sensitive information. Far from creating the “strictest” standard in the country, the bill brings the Colorado disposal statute in-line with the requirements in nearly two dozen other states. For example, California has required that companies “take all reasonable steps to dispose” of customer records (paper or electronic) for over eighteen years. Hawaii has required that companies “describe procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity” for over a decade.
- Safeguards. House Bill 18-1228 adds a provision to Colorado law that requires companies to “implement and maintain reasonable security procedures” to protect sensitive personal information. While this will be a new statutory requirement within Colorado, it can scarcely be characterized as sweeping or groundbreaking. Almost a dozen other states require that companies take “reasonable” steps to protect sensitive information. Far from being the “strictest” requirement in the country, some other states – like Massachusetts – contain far more detailed proscriptive steps than does Colorado in terms of what specific measures must be taken when securing sensitive information.
- Breach Notification. Colorado passed a data breach notification statute in 2006 as part of a “third wave” of states to do so. House bill 18-1228 tweaks and updates the existing law by applying it to new types of data such as biometrics, medical information, and user name (when in combination with a person’s password). It also adds a requirement that the state attorney general be notified in the event of certain types of breaches. Again, nothing within these changes is revolutionary or particularly noteworthy. Ten states already applied their breach notification statutes to biometric information, seventeen to health or medical records, and nearly a dozen to user name and password. Approximately thirty states already require notification to their attorneys general (or some other state regulator). Some authors have pointed to the fact that House Bill 18-1228 requires breach notification “not later than thirty days after the date of determination that a security breach occurred” as a sweeping reform. While that time period is certainly on the shorter side of things, it is far from the first state to codify a 30-day requirement (Florida has had one for years), nor is it the shortest time period by which breach notifications must be made. Puerto Rico has required government notification within ten days, and Europe requires government notification within three days.
The net result is that Colorado House Bill 18-1228 modifies existing Colorado data security provisions. While companies should be aware of the changes, for companies that have been compliant with other United States data security laws House Bill 18-1228 does not signal a sea-change in compliance in the same way as did the European General Data Protection Regulation, or as might the California Consumer Privacy Protection Act of 2018 (for more information on that topic read Out of the Pot and Into the Fire? What the Heck Happened in California?!).
I renew the challenge (and plea!) to other members of the data security community – and in particular other data security lawyers – to shy away from blowing changes in the law out of proportion. Our role should be to provide objective advice to companies and help them triage and prioritize changes in the law; it should not be to try to get our clients to panic at every turn.