Attendees got rare insight on cybersecurity enforcement at Ballard Spahr’s annual Cybersecurity Summit in Denver on Tuesday. In the program’s centerpiece panel discussion, a deputy attorney general and a former lobbyist from the Colorado Attorney General’s Office talked about how to comply with Colorado’s new data security law as well as how it made it to the governor’s desk.
House Bill 1128, which went into effect at the beginning of this month, raised the bar on consumer protection involving personal data and notification requirements in the event of a breach. In addition to expanding the definition of personally identifiable information, Colorado now requires organizations to notify affected Coloradans of a breach within 30 days. No state has a tighter breach notification deadline.
Ballard Spahr partner David Stauss moderated a discussion about how the law got enacted and what companies should focus on in order to comply with it. He was joined by Alissa Gardenswartz, deputy attorney general at the Colorado Attorney General’s Office, and Jennifer Anderson, who was the AG’s Office’ s legislative affairs director during the 2018 session.
Gardenswartz and Anderson, who now works for the Colorado Lottery, each said they were not speaking on behalf of the AG’s Office in discussing the bill on the panel. Ballard Spahr, including firm partner David Stauss, assisted the AG’s Office and the bill’s sponsors as a neutral party.
How the Sausage Was Made
HB 1128 may have passed both the House and the Senate without a single “No” vote, but that belied the struggle to get it to the governor’s desk in May. The bill’s copious revisions produced six published versions, and that was even after the pre-session stakeholder meetings.
“It was an interesting process,” Anderson recalled.
With cybersecurity presumably being a bipartisan issue, and one that legislators can get behind because they themselves have PII that’s vulnerable to a breach, Anderson said the bill looked “to be very low-hanging fruit” in terms of getting it passed. That turned out not to be the case.
“It was such a heavy lift, and it’s not reflected in the vote count … but there was a ton of opposition to this bill, and it was coming from all angles,” she said. The opposing stakeholders were unwilling to come out publicly against the bill and “testify that they’re not willing to protect their clients’ information,” she added, so they lobbied to kill the bill from the background.
Gardenswartz said that the bill was drafted with businesses and other entities in mind and that sponsors “didn’t want to overburden businesses that were already subject to regulation vis a vis their federal or state regulators.”
“It does say pretty much in every part of the act that if you are subject to state or federal rules or regulations or laws related to data privacy and you’re in compliance with those laws, then you’re OK under our law,” she said.
The big exception, Gardenswartz said — and what drew the most consternation from stakeholders — was the bill’s breach notice deadline of 30 days. Even entities that are subject to HIPAA and its own 60-day deadline for notification, or the Gramm-Leach-Bliley Act and its “as soon as possible” standard, must adhere to Colorado’s window.
But the stakeholders in the health care and the financial sectors each approached that sticking point differently, Anderson said. The banks lobbied for an exemption to the 30-day rule before the bill was introduced, but after negotiations, they remained neutral on the bill without getting that exemption. Health care stakeholders, however “to the bitter end hung on to this idea that they were going to get this exemption from the timeframe requirement,” like they what got with other states’ data breach requirements, Anderson said.
But to give HIPAA-regulated entities the carve-out after standing firm with the banks “would have just been awful for the bill,” she added. “The whole thing would have imploded.”
“I thought it was going to be the death of the bill a couple times,” Anderson said. “It was just so many entities that are subject to HIPAA that started to weigh in.”
In response, bill sponsors then floated the idea, while HB 1128 was undergoing its second reading on the House floor, of shortening the notification window for every entity to just three days. With that requirement hanging over their heads, Anderson said, other stakeholders who had signed on to pressure health care “to back off” on its exemption demand.
“It really was important, I think, ultimately to the success of the bill that our message was everyone is treated equally. If we carve someone out, we’re carving out those consumers from the protections of these laws,” she said. “That was a very simple message for a very complicated bill that ultimately ended up being 22 pages long.”
Complying With the New Law
Stauss asked Gardenswartz what entities should be focusing on in order to comply with the new law. She said the appropriate measures might vary depending on the size of the organization, though she offered general steps to take.
“I think you should memorialize what it is that you’re doing to protect … PII,” Gardenswartz said, including having an incident response plan. Entities should also make sure that they’re testing for vulnerabilities in their systems and patching them when found. They should also limit the number of people who have access to PII and dispose of the data when it’s no longer needed. “My guidance would be to really put some thought into it.”
“It goes back to common sense,” she said. “We are looking to see … that you took protection of consumers’ data seriously.”
She said companies might view data security as providing customer service. If they don’t invest in it, they not only risk running afoul of the law but also losing customers.
The new law requires entities that they must notify the AG’s Office when they suspect a breach has compromised the PII of 500 or more Coloradans. The notice should contain basic information, Gardenswartz said, including the organization’s name, a primary contact, the date the breach was discovered, the estimated number of Coloradans impacted, and a copy of the notice sent out to the consumers.
Gardenswartz said it may not be a question of if entities experience a breach but when. “But again, if you’re taking all of the steps that you can given your size and given the data that you keep, that’s what we’re looking for.”
As of Sept. 18, the office hasn’t yet received any data breach notifications under the new law, she noted.
At the summit, two other roundtable discussions preceded the cybersecurity bill talk. Stauss, along with Ballard Spahr’s privacy and data security group co-leader Edward McAndrew and associate Malia Rogers, discussed the impact of new cybersecurity outside Colorado, including California’s new amendment and the EU’s General Data Protection Regulation, or GDPR.
Another panel centered around complicated cybersecurity issues that companies have to manage with their vendors. Douglas Brush of Kivu Consulting and Timothy Burke of IMA, Inc. joined Ballard Spahr associate Gregory Szewczyk in discussing vendor pain points including insurance, supply chain issues and contracting considerations involving data privacy.
— Doug Chartier