Privacy & Information Security Law Blog

On January 28, 2022, in celebration of Data Privacy Day, the Colorado Attorney General’s Office issued prepared remarks from Colorado Attorney General Phil Weiser and published guidance on data security best practices. In his remarks, Attorney General Weiser highlighted the importance of protecting data security and outlined his office’s plans for implementing the Colorado Privacy Act (“CPA”), which takes effect July 1, 2023.

The “Data Security Best Practices” guidance document outlined nine key steps companies should take to protect their data, including:

1. Inventorying the types of data collected and establishing a system for how to store and manage that data;
2. Developing a written information security policy;
3. Adopting a written data incident response plan;
4. Managing the security of vendors;
5. Training employees to prevent and respond to cybersecurity incidents;
6. Following the Colorado Department of Law’s ransomware guidance to improve cybersecurity and resilience against ransomware and other attacks;
7. Timely notifying victims and the Colorado Attorney General’s Office when required in the event of a data breach;
8. Protecting individuals affected by a data breach from identity theft and other harms; and
9. Regularly reviewing and updating security policies.

Attorney General Weiser clarified that, in making a decision on whether companies are acting reasonably to safeguard sensitive information, his office will pay particular attention to the following practices: first, the Attorney General’s Office will evaluate whether a company has identified the types of data it collects and has established a system for storing and managing that data. The Attorney General’s Office then will consider whether a company has a written information security policy and a written incident response plan. Lastly, it will examine the degree to which the company vets and monitors its vendors’ data security practices.

Attorney General Weiser also announced that, by this fall, his office will exercise its new rulemaking authority under the CPA to post a formal Notice of Proposed Rulemaking, including a proposed set of model rules. The Notice will launch the process of collecting verbal and written comments from various of stakeholders across Colorado. The Attorney General’s Office expects to adopt final rules around a year from now.