• Best CPA Networks
  • Best Cost-Per-Sale Affiliate Networks
  • Best Pay-Per-Call Networks
  • mThink Digital
  • Thought Leadership
    • White Papers
  • About
    • Content Marketing
    • Content Strategy
      • Web Content
      • Social Media Strategy
      • Webinars & Video
      • Thought Leadership
    • Performance Marketing
    • Portfolio
      • Revenue Performance
      • Accenture
      • Microsoft
      • Java Detour
      • Our Process
    • Contact Us

mThink

Blue Book Logo

BlueBook Logo

The Trusted Name in Performance Marketing

ROS Leaderboard

  • Home
  • Blue Book
    • About Blue Book
    • Blue Ribbon Panel
    • Interviews
    • Research Methodology
    • Back Issues
    • Advertising
      • Website Creative Specifications
      • Newsletter Creative Specifications
  • Best CPA Networks
  • Best Cost-Per-Sale Affiliate Networks
  • Best Pay-Per-Call Networks
  • Best European CPA Networks
  • Best CPA Networks for Affiliates
  • Best CPA Networks for Advertisers

FTC Defense Lawyer on Colorado’s Cybersecurity Legislation

June 18, 2018 by Richard B. Newman

Colorado’s governor recently signed into law House Bill 18-1128.  It is effective September 1, 2018 and sets forth information security requirements for businesses and third-party service providers, amends the state’s data breach notification statute and expands the definition of “personal information.”

“Covered entities” are subject to the law.  Generally speaking, a “covered entity” is “a person, [as defined in section 6-1-102(6]), that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation.”  A “person” is defined by C.R.S. § 6-1-102(6) as “an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or two or more thereof having a joint or common interest, or any other legal or commercial entity.”  The law also creates comparable statutory requirements for governmental entities.

Third-party service providers are not included in the definitions of “covered entity” and “governmental entity.”  Rather, they are defined as “any entity that has been contracted to maintain, store or process personal information on behalf of” a covered entity or governmental entity.

Information Security

Covered entities must implement and maintain reasonable security measures to protect documents containing personal identifying information.  “A covered entity that maintains, owns, or licenses personal identifying information of an individual residing in the state shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”

“Personal identifying information” is defined as: social security number; personal identification number; password; pass code; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device.

Contractual Requirements  

Those subject to the law must ensure that protections are implemented whenever personal identifying information is transferred to third-party service providers that have been contracted to “maintain, store, or process personal information on behalf of a covered entity.”

In pertinent part:

“Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices that are: (a) appropriate to the nature of the personal identifying information disclosed to the third-party service provider; and (b) reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.”

There is an exception where a covered entity retains security responsibility and implements controls to protect personal identifying information from unauthorized disclosure or to eliminate a third-party’s access:

In pertinent part:

“. . . disclosure of personal identifying information does not include disclosure of information to a third- party under circumstances where the covered entity retains primary responsibility for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal identifying information and the covered entity implements and maintains technical controls that are reasonably designed to: (a) help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction; or (b) effectively eliminate the third-party’s ability to access the personal identifying information, notwithstanding the third-party’s physical possession of the personal identifying information.”

In short, a covered entity that discloses information to a third-party service provider must require the service provider to implement and maintain reasonable security procedures and practices , or provide its own protection for disclosed information.

Document Disposal

Covered entities must also implement a written disposal policy for documents that contain personal identifying information, including electronic documents.  The written policy must require that, when such paper or electronic documents are no longer needed, the covered entity shall destroy or arrange for the destruction of such documents by shredding, erasing, or otherwise modifying personal identifying information so as to render it indecipherable.  A limited, narrow exception to this requirement may exist if there is contrary federal or state law pertaining to disposal of personal identifying information.

Data Breach Notification

Colorado’s data breach notification statute now possesses the shortest time frame in the United States – thirty days after a determination that a security breach has occurred to provide notice.  The definition of “personal information” has been expanded.

In the event of an online account breach, in addition to standard notice, persons must be directed to promptly change passwords, and security questions and answers.  Additional steps, as appropriate, must also be taken.

Takeaway:  Portions of Colorado’s beefed-up cybersecurity legislation have been borrowed from the GDPR.  Covered entities should develop a written information security program that contains robust safeguards; implement a written document retention and disposal policy; critically assess: (a) third-parties to whom personal identifying information is transferred; (b) how personal identifying information is transferred to third-parties; (c) third-party security practices; and (d) ensure contract language satisfies statutory requirements.  Consult with experienced an attorney experienced in privacy and data security compliance matters to implement an incident response plan, and negotiate and draft third-party contracts that effectively minimize risk.  It is anticipated that the law will be aggressively enforced by the Colorado Attorney General.

Contact an FTC defense lawyer to discuss emerging privacy and data security law compliance requirements that impact the digital marketing community.  Visit the author’s website here.

Richard B. Newman is a regulatory litigation, investigations and compliance attorney at Hinch Newman LLP focusing on advertising and digital media matters.  Follow him on LinkedIn.

ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.

Related posts:

  1. FTC Investigation and Enforcement Trends Privacy and data security-related issues remain a hot-button subject and...
  2. FTC Defense Lawyer Report:  Top 10 FTC Consumer Protection Topics (2017) The FTC’s recent law enforcement and policy initiatives suggest that...
  3. FTC and FCC Announce MOU to Coordinate Online Consumer Protection Efforts On December 11 2017, the Federal Trade Commission and Federal...
  4. FTC Defense Lawyer Update: Solar Panel Lead Generation Telemarketers Settle FTC Charges The lead generation industry continues to face aggressive scrutiny from...

Filed Under: Blue Book, Revenue Tagged With: cybersecurity, data security, FTC defense lawyer, Lead generation, privacy

Search

ROS Col 2 Top

ROS Col 2 Mid

ROS Col 2 Low

Subscribe to our newsletter!

* indicates required

ROS Col 2 – 4 Misc

ROS Col 2 – 5 Misc

ROS Col 2 – 6 Misc

Recent Posts

  • 2023: Challenges, Opportunities & Predictions
  • Top 4 Best Practices For Consumer Finance Campaigns
  • Four Moments That Changed Performance Marketing Forever
  • New additions, improvements, and added perks from your favorite CPA network
  • Your Top 5 Affiliate Marketing Questions Answered
  • 5 strategies to create better content
  • FCC Says Ringless Voicemails Require Prior Consent
  • Top 5 Free Methods to Increase Affiliate Traffic
  •  3 Top Lead Generation Best Practices To Scale Your Business
  • Automation, Conversions, Profitability, Oh My – Breaking Affiliate Campaign Roadblocks
  • 5 tips for a better brand image
  • How Mac of All Trades Found Multi-Channel Success
  • Winning In A Changing World: An Interview with Taras Kiseliuk, CEO of ClickDealer
  • Survey: What Consumers Want from Financial Services Providers
  • The influencer marketing era: what does the future of web marketing hold?

About mThink

mThink is a specialist digital marketing company based in San Francisco. We focus on media buying, Facebook marketing, direct response, social and mobile. In addition mThink produces the annual Blue Book Rankings of major performance marketing networks. Read More »

Baseboard

Copyright ©2023 · mThink. All rights reserved.
3053 Fillmore Street, Suite 325 | (415) 787-0250
Disclaimer | Privacy Policy