Step No. 1: Know What You Have and Who Has Access
Per the guidance, the first step that an organization can take includes taking inventory of the types of personal information it collects and, if not already established, creating a system for storing and managing such information. Organizations should monitor employee access to personal information and have a written data retention and destruction policy in place.
Step No. 2: Have a Written Information Security Policy
Second, organizations should memorialize their data security practices in a written information security policy (WISP). According to the guidance, some common data security practices include data minimization, access control, password management, and encryption. An organization’s information security procedures should also adhere to industry standards where possible (e.g., ISO/IEC 27000 standards for storing employee data, Payment Card Industry’s Data Security Standard for organizations that collect credit card information, etc.). However, it is important to note that the WISP should not simply be a spreadsheet of controls—it should be a comprehensive overview of the program written in plain language.
Step No. 3: Have a Written Incident-Response Plan
Third, the guidance recommends adopting a written incident-response plan—both in physical and digital form in case a cyberattack renders the digital copy unusable—as one of the reasonable security measures that an organization can adopt to protect personal information. Such a plan would detail the steps that the organization would take in the event of a security incident, such as notification procedures and remedial actions. To ensure that the organization can execute the response plan, the organization should conduct response training and simulated, interactive exercises that test an organization’s incident-response procedures (i.e., tabletop exercises).
Step No. 4: Know Your Vendors
Fourth, reasonable security measures to protect personal information include effective vendor management. Organizations should vet potential vendors and must require—by contract—that vendors adopt and take reasonable and appropriate security measures to protect the personal information that they process on behalf of the organization, allow for regular (and no less than annual) audits by the organization of the vendor’s security procedures, and aid the organization in the event of a security breach. Again, the key is to have some documented process or standard template to demonstrate compliance.
Step No. 5: Train Your Employees
The guidance also recommends that an organization implement an effective employee-training program as a reasonable security measure. As training employees on cybersecurity preparedness and identifying and reporting suspicious emails and other network activity can be critical in preventing potential cyberattacks, the training program should be documented.
Step No. 6: Follow the Colorado AG’s 2021 Ransomware Guidance
Sixth, the guidance recommends that organizations follow the Colorado attorney general’s 2021 ransomware guidance to help bolster their cybersecurity and resilience against ransomware and other attacks. Per the 2021 guidance, best practices for responding to ransomware attacks include multifactor authentication, encryption, end-point detection and response, data backup and ensuring that backup copies are readily accessible off-line, regular system updates and patching, testing incident-response plans, and network segmentation.
Step Nos. 7 and 8: Promptly Conduct Investigations and Provide Notifications, When Necessary
The seventh and eighth recommendations identified in the guidance relate to timely breach notification and the actions that an organization takes as a result of a security breach affecting consumers’ personal information. Per the guidance, organizations that process personal information have a duty to protect such information and should conduct a prompt investigation in the event of a security breach. Depending on the type of personal information affected and the magnitude and severity of the breach, organizations may be required to notify consumers and/or the Colorado attorney general within 30 days (with additional notification obligations determined by other state laws). Organizations should also be prepared to compensate affected individuals, such as by providing free credit-monitoring services.
Step No. 9: Regularly Review and Update Your Security Policies
Finally, the guidance recommends that organizations regularly review and update their security policies where necessary. Assessing whether data collection, storage, and use practices are updated for changes to internal processes and applicable risks is key to ensuring that the organization is undertaking reasonable security measures. As organizations introduce new products and services or adopt different business practices, the policies governing security practices should be updated accordingly.
The guidance should be recognized as just that—guidance—and not a technical playbook for data security. But it demonstrates the reality that data security is not just about technical controls. In an era where the sufficiency of a program will be determined by nontechnical fact finders through the normal legal process, companies need to document their programs through legal policies that are easily understood. The Colorado guidance certainly provides a useful road map in that respect, and we can expect to see it cited by both plaintiffs and defendants in the coming years.
Gregory Szewczyk is a partner at Ballard Spahr LLP in Denver, Colorado, and Sarah Dannecker is an associate at Ballard Spahr LLP in Minneapolis, Minnesota.