At the IAPP Global Privacy Summit, Colorado Attorney General Phil Weiser announced the principles that would guide the CPA rulemaking process, after which his office published a white paper entitled Pre-Rulemaking Considerations for the CPA.  In the white paper, the Colorado Department of Law (which is headed by the Attorney General) welcomes informal input

On January 28, 2022 the Consumer Protection Section of the Colorado Attorney General’s Office issued guidance regarding data security best practices.  Businesses subject to the Colorado Privacy Act can look to these best practices as a roadmap for the technical and organizational data security safeguards the law requires businesses to implement.

The guidance instructs covered

2021 proved to be a momentous year for privacy and data security law.  The scourge of ransomware continued last year, leading to record-setting ransomware payments, a muscular response from the federal government, a hardening insurance market, and significant corporate anxiety.  Two more U.S. states passed comprehensive data privacy laws in 2021.  The FTC was very active, issuing new guidance for artificial intelligence (AI), publishing revisions to the GLBA Safeguards Rule, and bringing new enforcement actions.  The U.S. Supreme Court issued a number of opinions that had the effect of narrowing the scope of key privacy statutes while biometric litigation in Illinois exploded.  The European Commission promulgated new rules for cross-border transfers, and U.S. state regulatory enforcement activities ramped up.
Continue Reading  Predictions for Privacy & Data Security in 2022

Colorado has become the third state in the country to pass a comprehensive data privacy law, joining California and Virginia.  Assuming the governor signs—as he is widely expected to do—the Colorado Privacy Act (the “CPA”) will go into effect on July 1, 2023.

Similar to the California and Virginia laws, the CPA affords Colorado “consumers”

Ballard Spahr’s Privacy and Data Security Group will again be hosting its Colorado Cybersecurity Summit on September 18, 2018, at Ballard Spahr’s Denver office and via webinar.

Highlights will include a discussion with the Colorado Deputy Attorney General who will be responsible for enforcing Colorado’s groundbreaking new cybersecurity law, as well as the former Director

Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.

The most notable provisions of the new law are discussed below.

Continue Reading  Colorado Enacts Groundbreaking Privacy and Cybersecurity Legislation

As part of the Rocky Mountain Information Security Conference hosted in Denver from May 8 to 10, 2018, Ballard Spahr Privacy and Data Security attorney David Stauss sat down with Robb Reck, Chief Information Security Officer for Ping Identity and Alex Wood, Chief Information Security Officer for Pulte Financial Services. The group discussed a wide-range on cybersecurity issues as well as Robb and Alex’s involvement with the RMISC and their weekly podcast Colorado = Security.

Continue Reading  Ballard Spahr Interviews Two Leaders of the Colorado Information Security Community

As we were the first in the nation to report, in January, Colorado lawmakers proposed legislation that would significantly change the way in which entities operating in Colorado must protect confidential information and disclose breaches involving same.

Last week, the bill’s sponsors submitted an amended bill that revises a number of key provisions. Among other changes, the amended bill would require entities to notify Colorado residents within 30 days of discovery of a data breach.  If enacted, Colorado would have the shortest time frame for disclosure in the country.
Continue Reading  Colorado Legislature Continues to Push Privacy and Data Security Legislation in Wake of Equifax

A bipartisan group of Colorado legislators proposed legislation that, if enacted, would significantly change the requirements for how Colorado entities protect, transfer, secure, and dispose of documents containing personal identifying information. The proposed legislation also would expand the types of information covered by the Colorado Breach Notification Law and add additional requirements for companies that