If your company has customers in Colorado, get ready to revamp your policies notifying victims of a data breach. Colorado’s Data Breach notification is the most stringent in the nation. Companies need to take “reasonable” (i.e. what you can defend in court) security practices and procedures that protect personal information.
Under the new law, if an individual’s personal information is part of a breach, they must be notified within 30 days after discovery — no exceptions. In addition, the law broadens the definition of personally identifying information to including health care and financial data.
The new notification requirement will have a special impact on organizations that must notify individuals of a HIPAA breach because it takes precedence over the federal 60-day notification window.
Notification requirements include telling affected individuals which data was released and the estimated data of the breach.
Next each business must develop a Written Information Security Policy (WISP) for document destruction when data is no longer needed. One needs to perform due diligence on your vendors who handle PII to make sure they have appropriate security procedures in place.
Finally one must perform employee training on one’s Written Information Security Policy (WISP) required in the law.
Failure to act can cause civil and criminal action by the state Attorney General. This is a major change in privacy and security of personal data. For more information contact Scott Fasken, Founder, of Colorado Document Security.
. . . . .
Colorado Document Security provides On-site Data Destruction and helps business meet the new Colorado Data Breach Notification Law, with written policies and procedures, employee training, and due diligence in vendor selection. We make sure clients meet the mandate of the new law.
Learn more at coloradodocumentsecurity.org.