Colorado has become the third state in the country to pass a comprehensive data privacy law, joining California and Virginia. Assuming the governor signs—as he is widely expected to do—the Colorado Privacy Act (the “CPA”) will go into effect on July 1, 2023.
Similar to the California and Virginia laws, the CPA affords Colorado “consumers”
We are pleased to announce the following panels for the Colorado Cybersecurity Summit being held in Denver, Colorado on September 18, 2018, and also available via webinar. To register for the Summit click here.
Continue Reading Panels Announced for the Colorado Cybersecurity Summit
Ballard Spahr’s Privacy and Data Security Group will again be hosting its Colorado Cybersecurity Summit on September 18, 2018, at Ballard Spahr’s Denver office and via webinar.
Highlights will include a discussion with the Colorado Deputy Attorney General who will be responsible for enforcing Colorado’s groundbreaking new cybersecurity law, as well as the former Director
Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.
Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.
The most notable provisions of the new law are discussed below.
Continue Reading Colorado Enacts Groundbreaking Privacy and Cybersecurity Legislation
As part of the Rocky Mountain Information Security Conference hosted in Denver from May 8 to 10, 2018, Ballard Spahr Privacy and Data Security attorney David Stauss sat down with Robb Reck, Chief Information Security Officer for Ping Identity and Alex Wood, Chief Information Security Officer for Pulte Financial Services. The group discussed a wide-range on cybersecurity issues as well as Robb and Alex’s involvement with the RMISC and their weekly podcast Colorado = Security.
Continue Reading Ballard Spahr Interviews Two Leaders of the Colorado Information Security Community
As we were the first in the nation to report, in January, Colorado lawmakers proposed legislation that would significantly change the way in which entities operating in Colorado must protect confidential information and disclose breaches involving same.
Last week, the bill’s sponsors submitted an amended bill that revises a number of key provisions. Among other changes, the amended bill would require entities to notify Colorado residents within 30 days of discovery of a data breach. If enacted, Colorado would have the shortest time frame for disclosure in the country.
Continue Reading Colorado Legislature Continues to Push Privacy and Data Security Legislation in Wake of Equifax
A bipartisan group of Colorado legislators proposed legislation that, if enacted, would significantly change the requirements for how Colorado entities protect, transfer, secure, and dispose of documents containing personal identifying information. The proposed legislation also would expand the types of information covered by the Colorado Breach Notification Law and add additional requirements for companies that
2017 brought a new trend in cybersecurity law – state agency rulemaking independent of legislative action. To be sure, Massachusetts has long had cybersecurity regulations on the books, but those regulations were enacted based on a legislative mandate. What occurred in 2017 is different because individual state agencies in New York, Colorado, and Vermont took it upon themselves to promulgate regulations directed at filling a perceived need to ensure that regulated entities were taking proper steps to protect confidential information. That action – and the expectation that we will see more in 2018 – has added another level of complexity to the web of state and federal laws that govern this area. In fact, in another sign that we can expect even more action in this area, at the end of 2017, the National Association of Insurance Commissioners issued a 13 page model data security law.
Continue Reading State Cybersecurity Regulations: A Look Back at 2017
The Colorado Division of Securities made national headlines last year when it promulgated cybersecurity rules applicable to broker-dealers and investment advisors. Since the rules went into effect in July 2017, the Division has published a compliance checklist containing additional requirements for covered entities. Colorado-based members of Ballard Spahr’s Privacy and Data Security Group, who participated