Colorado Attorney General Helps Businesses with Data Security!

green and yellow printed textile

In January 2022, the Colorado Attorney General published guidance on data security practices. The guidance outlines practices gleaned from recent data security enforcement matters brought by the Attorney General (of which there are 3 total as of this writing, all completed in 2021), and relevant Colorado statutes.

The guidance highlights data security practices that covered entities (i.e., entities covered by the Colorado data breach statute, can adopt, including:

  1. creating a “data inventory,” a comprehensive listing of the types of data collected or maintained by the business
  2. establishing a system for how to store and manage that data;
  3. developing a written information security policy;
  4. adopting a written data incident response plan;
  5. managing the security of vendors by vetting them prior to finalizing an agreement for goods or services;
  6. training employees to prevent and respond to cybersecurity incidents;
  7. timely notify victims and the Department of Law/Attorney General (when required) in the event of a security breach;
  8. protect individuals affected by a data breach from identity theft and other harms; and
  9. regularly reviewing and updating security policies.

Find the AG’s guidance here.

Excerpt from AG’s guidance
DateCompany nameOriginal DecisionDeficiencies cited
June 11, 2021Impact Mobile Home Communities
Assurance of Discontinuance– Failure to maintain reasonable security practices including employee cybersecurity preparedness training

– Failure to timely notify
Coloradans of a data breach
June 8, 2020Kozleski CPAs
Assurance of Discontinuance– Failure to conduct a prompt, good faith investigation after experiencing a ransomware attack
March 11, 2021American Medical Collection Agency
Final Judgment relief:

1) written ISP
2) CISO with quarterly reports
3) Annual security assessments for 7 years

– Settlement payment of $21M

See also consumer class action (In re: American
Medical Collection Agency, Inc., Customer Data Security Breach Litigation
, 2:19-
md- 02904-MCA-MAH (D.N.J.) before Judge Madeline Arleo)
November 2021SEMA Construction, Inc.
Assurance of Discontinuance
– Failure to conduct a prompt, good faith investigation

– Failure to timely notify victims of phishing attack

You might also enjoy

Foundry Legal is a law practice.  We primarily focus on data privacy, emerging technology companies and social impact organizations, and capital formation through private securities offerings and strategic investments/acquisitions. 

Occasionally we will find an issue that really, really goes against something we stand for and when that happens we won’t hestitate to get involved.  

The firm serves clients across a range of industries, including new agriculture, financial institutions, aerospace, and professional services.  We are in Denver, Colorado.  Other stuff about us

Other Thoughts on Things


Blockchain and Fintech

At the intersection of governance, data security, payments and financial services, and securities regulation lies the blockchain industry. Luckily for our clients, these topics are


Privacy and Data Security

As the regulation of how businesses use, store, and transmit data becomes more complex, companies and executives must navigate between state-specific and industry-level privacy and

commercial contracts

Founder Disputes & Business Divorces

One of the most overlooked and under-appreciated aspect of starting a business with other people is the human relationship. Like in any partnership, there is