The Colorado AG recently issued guidance on practices companies should consider to safeguard consumer data. This guidance was issued in response to companies asking what “reasonable” security means. While noting that the standard is a flexible one and calls for case-by-case determinations, the AG highlighted activities it will weigh when making a decision on whether companies are acting reasonably to safeguard information.
Specifically, the AG noted a few practices as critical when determining whether a company is acting reasonably to safeguard information. These include identifying and managing data (including proper retention practices). The AG also noted having and implementing a written information security policy and incident response plan. The CO AG also placed importance on ensuring that vendors have proper security measures in place.
Altogether, nine practices were highlighted. These include advising companies to:
-
Inventory types of data collected and establish systems to store and manage data.
-
Develop a written information security policy.
-
Adopt a written data incident response plan.
-
Manage vendors’ security.
-
Train employees to prevent and respond to cybersecurity incidents.
-
Follow the Department of Law’s ransomware guidance.
-
Notify affected individuals and the Colorado AG of a breach, as required under law.
-
Protect affected individuals of a data breach from identity theft and harm.
-
Review and update security policies regularly.
This guidance comes in light of the upcoming Colorado Privacy Act (CPA), which we previously covered here. The CO AG also announced rulemaking for the CPA to begin soon, with the adoption of final rules expected by early next year.
Putting it Into Practice: The CO AG’s advice signals the growing expectations of the steps companies should take to protect information. This follows the trend of other state AG’s issuing cybersecurity guidance. For example, the New York AG recently issued information on how to protect against credential stuffing attacks.