As part of the Rocky Mountain Information Security Conference hosted in Denver from May 8 to 10, 2018, Ballard Spahr Privacy and Data Security attorney David Stauss sat down with Robb Reck, Chief Information Security Officer for Ping Identity and Alex Wood, Chief Information Security Officer for Pulte Financial Services. The group discussed a wide-range on cybersecurity issues as well as Robb and Alex’s involvement with the RMISC and their weekly podcast Colorado = Security.
As we were the first in the nation to report, in January, Colorado lawmakers proposed legislation that would significantly change the way in which entities operating in Colorado must protect confidential information and disclose breaches involving same.
Last week, the bill’s sponsors submitted an amended bill that revises a number of key provisions. Among other changes, the amended bill would require entities to notify Colorado residents within 30 days of discovery of a data breach. If enacted, Colorado would have the shortest time frame for disclosure in the country. Continue Reading Colorado Legislature Continues to Push Privacy and Data Security Legislation in Wake of Equifax
A bipartisan group of Colorado legislators proposed legislation that, if enacted, would significantly change the requirements for how Colorado entities protect, transfer, secure, and dispose of documents containing personal identifying information. The proposed legislation also would expand the types of information covered by the Colorado Breach Notification Law and add additional requirements for companies that have suffered a data breach, such as a 45-day deadline to provide notice to affected individuals. Click here for a discussion of the proposed legislation.
2017 brought a new trend in cybersecurity law – state agency rulemaking independent of legislative action. To be sure, Massachusetts has long had cybersecurity regulations on the books, but those regulations were enacted based on a legislative mandate. What occurred in 2017 is different because individual state agencies in New York, Colorado, and Vermont took it upon themselves to promulgate regulations directed at filling a perceived need to ensure that regulated entities were taking proper steps to protect confidential information. That action – and the expectation that we will see more in 2018 – has added another level of complexity to the web of state and federal laws that govern this area. In fact, in another sign that we can expect even more action in this area, at the end of 2017, the National Association of Insurance Commissioners issued a 13 page model data security law. Continue Reading State Cybersecurity Regulations: A Look Back at 2017
The Colorado Division of Securities made national headlines last year when it promulgated cybersecurity rules applicable to broker-dealers and investment advisors. Since the rules went into effect in July 2017, the Division has published a compliance checklist containing additional requirements for covered entities. Colorado-based members of Ballard Spahr’s Privacy and Data Security Group, who participated in drafting the cybersecurity rules, have now published a guide for covered entities that will help them understand their obligations under the Division’s rules and how to comply with them. Click here to view the guide.