In January 2022, the Colorado Attorney General published guidance on data security practices. The guidance outlines practices gleaned from recent data security enforcement matters brought by the Attorney General (of which there are 3 total as of this writing, all completed in 2021), and relevant Colorado statutes.
The guidance highlights data security practices that covered entities (i.e., entities covered by the Colorado data breach statute, can adopt, including:
- creating a “data inventory,” a comprehensive listing of the types of data collected or maintained by the business
- establishing a system for how to store and manage that data;
- developing a written information security policy;
- adopting a written data incident response plan;
- managing the security of vendors by vetting them prior to finalizing an agreement for goods or services;
- training employees to prevent and respond to cybersecurity incidents;
- timely notify victims and the Department of Law/Attorney General (when required) in the event of a security breach;
- protect individuals affected by a data breach from identity theft and other harms; and
- regularly reviewing and updating security policies.
Find the AG’s guidance here.
| Date | Company name | Original Decision | Deficiencies cited | |
| June 11, 2021 | Impact Mobile Home Communities Assurance of Discontinuance | https://coag.gov/app/uploads/2021/06/AOD-Signed-Impact-MHC-and-Colorado-6.11.2021.pdf | – Failure to maintain reasonable security practices including employee cybersecurity preparedness training – Failure to timely notify Coloradans of a data breach | |
| June 8, 2020 | Kozleski CPAs Assurance of Discontinuance | https://coag.gov/app/uploads/2022/01/2020.06.08-KozleskiAssuranceAgreement06082020.pdf | – Failure to conduct a prompt, good faith investigation after experiencing a ransomware attack | |
| March 11, 2021 | American Medical Collection Agency Final Judgment | https://coag.gov/app/uploads/2022/01/2021.03.11-AMCA-Agreed-Final-Judgment-w_-attach.pdf | Injunctive relief: 1) written ISP 2) CISO with quarterly reports 3) Annual security assessments for 7 years – Settlement payment of $21M See also consumer class action (In re: American Medical Collection Agency, Inc., Customer Data Security Breach Litigation, 2:19- md- 02904-MCA-MAH (D.N.J.) before Judge Madeline Arleo) | |
| November 2021 | SEMA Construction, Inc. Assurance of Discontinuance | https://coag.gov/app/uploads/2021/11/SEMA-Construction-Fully-Executed-Assurance-of- Discontinuance.pdf | – Failure to conduct a prompt, good faith investigation – Failure to timely notify victims of phishing attack | |
