On January 28, 2022 the Consumer Protection Section of the Colorado Attorney General’s Office issued guidance regarding data security best practices.  Businesses subject to the Colorado Privacy Act can look to these best practices as a roadmap for the technical and organizational data security safeguards the law requires businesses to implement.

The guidance instructs covered entities to incorporate the following best practices:

  1. Inventory the types of data collected and establish a system for how to store and manage that data;
  2. Develop a written information security policy;
  3. Adopt a written data incident response plan;
  4. Mange vendor security;
  5. Train employees to prevent and respond to cybersecurity incidents;
  6. Follow the Department of Law’s ransomware guidance to improve cybersecurity and resilience against ransomware and other attacks;
  7. Timely notify victims and the authorities (when required) in the event of a security breach;
  8. Protect individuals affected by a data breach from identity theft and related harms; and
  9. Regularly review and update security policies.

The guidance in its entirety is available here.

While many companies may already follow these practices as part of the data security regime, their publication shows the increased focus on privacy and data security in Colorado in the run up to the Colorado Privacy Act going into effect in 2023.