Health care stakeholders nearly brought ‘the death of the bill,’ said the office’s former lobbyist in Ballard Spahr summit
Attendees got rare insight on cybersecurity enforcement at Ballard Spahr’s annual Cybersecurity Summit in Denver on Tuesday. In the program’s centerpiece panel discussion, a deputy attorney general and a former lobbyist from the Colorado Attorney General’s Office talked about how to comply with Colorado’s new data security law as well as how the bill made it to the governor’s desk.
House Bill 1128, which went into effect at the beginning of this month, raised the bar on consumer protection involving Coloradans’ personal data and notification requirements in the event of a breach. In addition to expanding the definition of personally identifiable information, Colorado now requires organizations to notify affected Coloradans of a breach within 30 days. No state has a tighter breach notification deadline.
Ballard Spahr partner David Stauss moderated a discussion about how the law got enacted and what companies should focus on to comply with it. He was joined by Alissa Gardenswartz, deputy attorney general at the Colorado Attorney General’s Office, and Jennifer Anderson, who was the AG’s Office’ s legislative affairs director during the 2018 session at the Capitol.
Gardenswartz and Anderson, who now works for the Colorado Lottery, each said they were not speaking on behalf of the AG’s Office in discussing the bill on the panel. Ballard Spahr, including firm partner David Stauss, assisted the AG’s Office and the bill’s sponsors as a neutral party.
How the Sausage Was Made
HB 1128 may have passed both the House and the Senate without a single “No” vote, but that belied the struggle to get it enacted in May. The bill’s copious revisions produced six published versions, and that was after the pre-session stakeholder meetings.
“It was an interesting process,” Anderson recalled.
With cybersecurity presumably being a bipartisan issue, and one that legislators can get behind because they themselves have PII that’s vulnerable to a breach, Anderson said the bill looked “to be very low-hanging fruit” in terms of getting it passed. That turned out not to be the case.
“It was such a heavy lift, and it’s not reflected in the vote count … but there was a ton of opposition to this bill, and it was coming from all angles,” she said. The opposing stakeholders were unwilling to come out publicly against the bill and “testify that they’re not willing to protect their clients’ information,” she added, so they lobbied to kill the bill from the background.