Last year’s Equifax data breach exposed information on 145.5 million people. Equifax waited about 40 days to disclose the breach. They lost their consumers’ trust, costing them business while opening them up to civil lawsuits. Prior to the breach, at least 44 states had laws protecting consumer data. Alabama, Florida, Iowa, Maryland and South Dakota all passed their laws in 2018. The 40-day period Equifax waited falls within the period of disclosure for many states, consumers felt they should have found out sooner.
While all 50 states have now passed statutes on how companies are to respond to breaches, no federal law governs businesses in all sectors when it comes to general consumer information security.
Colorado’s data privacy bill is still waiting to be signed by Gov. John Hickenlooper and will be the strictest law in the nation regarding how businesses and the state government — collectively referred to as “entities” in the bill — prepare for and handle security breaches.