Colorado AG Releases Best Practices for Data Security

Written By Haley Metteauer

On January 28, 2022, the Colorado Attorney General Phil Weiser released remarks on Colorado’s efforts to enact legislation in Colorado enhancing privacy and data security protections for consumers and the “failure of the federal government to act” in this area of law.

Weiser highlighted how the last federal legislative effort in the consumer privacy arena was the enactment of the Privacy Act of 1974 ("Privacy Act" or "Act"), which “recognized the importance of protecting personally identifiable information (“PII”)” and outlined Fair Information Practice Principles (“FIPPs”) to be utilized to protect PII. Although Weiser acknowledges the importance of the Privacy Act, he believes it is insufficient, since it: (a) is not comprehensive, (b) acts to “merely” protect PII for specific sectors like health care, and (c) falls short of the legislative efforts in other countries in the European Union.

Despite the deficiencies in privacy legislation available to consumers, Weiser did not appear to believe American consumers were out of options and provided a list of “best practices” practices for data security stemming from federal and Colorado state guidance which provide “sound ways” to secure an organization’s data. Organizations should:

  • Adopt multifactor authentication;

  • Use endpoint detection (to look for malicious activity on the network);

  • Respond and address any malicious activity detected on the network;

  • Encrypt sensitive data (so that data, if stolen, cannot be used);

  • Utilize a skilled, empowered security team (to patch rapidly, and share and incorporate threat information into company defenses);

  • Backup data, system images, and configurations, regularly test them, and keep the backups offline;

  • Update and patch systems promptly;

  • Test incident response plans;

  • Check their security team’s work; and

  • Segment networks.

Although the future of privacy legislation is unclear, businesses should be aware of the push for federal regulation and dissemination of state legislative efforts. If future legislation is enacted, businesses should consider engaging an attorney to ensure that their organization is in compliance with all state and federal regulations.

Businesses should review the above best practices and consider the implementation of these recommendations in their organization.

Haley Metteauer
Previous

Considerations for Businesses Re: Data Governance and Privacy
Next

SEC Discusses Agency’s Efforts to Bolster Cybersecurity Resiliency