The office of the Colorado Attorney General, Phil Weiser, recently issued a data security best practices guidance document as part of his office’s role in “implementing and enforcing data security and data privacy laws.” In recent remarks on Data Privacy Day on January 28, 2022, the Attorney General (the AG) discussed the upcoming rulemaking process that will take place over the next several months as a result of the passage of the Colorado Privacy Act. In addition, the data security best practices document updates previous guidance released by the A G’s office to provide guidance on important data security practices.

The guidance identifies nine areas of focus:

• Inventory data that are collected and have a system to store and manage data;

• Adopt a written information security program;

• Adopt a written incident response plan;

• Manage third party vendors;

• Train employees to prevent and respond to cybersecurity attacks;

• Follow the Department’s ransomware guidance;

• Timely notify affected individuals and the Attorney General in the event of a data breach;

• Protect affected individuals with services such as credit monitoring; and

• Regularly review and update your privacy and security policies.

We will be watching the regulatory process in Colorado closely as regulations are developed to implement the Colorado Privacy Act. In the meantime, the guidance provides important reminders to all regarding sound data security and privacy practices.