February 7, 2023

Volume XIII, Number 38


February 06, 2023

Subscribe to Latest Legal News and Analysis

Colorado AG Issues Guidance on Data Security Best Practices

The Colorado AG recently issued guidance on practices companies should consider to safeguard consumer data. This guidance was issued in response to companies asking what “reasonable” security means. While noting that the standard is a flexible one and calls for case-by-case determinations, the AG highlighted activities it will weigh when making a decision on whether companies are acting reasonably to safeguard information.

Specifically, the AG noted a few practices as critical when determining whether a company is acting reasonably to safeguard information. These include identifying and managing data (including proper retention practices). The AG also noted having and implementing a written information security policy and incident response plan. The CO AG also placed importance on ensuring that vendors have proper security measures in place.

Altogether, nine practices were highlighted. These include advising companies to:

  1. Inventory types of data collected and establish systems to store and manage data.

  2. Develop a written information security policy.

  3. Adopt a written data incident response plan.

  4. Manage vendors’ security.

  5. Train employees to prevent and respond to cybersecurity incidents.

  6. Follow the Department of Law’s ransomware guidance.

  7. Notify affected individuals and the Colorado AG of a breach, as required under law.

  8. Protect affected individuals of a data breach from identity theft and harm.

  9. Review and update security policies regularly.

This guidance comes in light of the upcoming Colorado Privacy Act (CPA), which we previously covered here. The CO AG also announced rulemaking for the CPA to begin soon, with the adoption of final rules expected by early next year.

Putting it Into Practice: The CO AG’s advice signals the growing expectations of the steps companies should take to protect information. This follows the trend of other state AG’s issuing cybersecurity guidance. For example, the New York AG recently issued information on how to protect against credential stuffing attacks.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 45

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

Dhara Shah Law Clerk Chicago Shephard Mullin Richter & Hampton LLP
Law Clerk

Dhara Shah is an law clerk in the Intellectual Practice Group in the firm’s Chicago office.