Colorado's Version of the General Data Protection Regulation Requires Companies Take a Proactive Approach
Are small businesses prepared?
In the cybersecurity industry, we half-joke there are two types of businesses: those that have been victimized by a cyberattack and those that haven't yet discovered they've been attacked. Last year, nearly 2.6 billion personal records were stolen or compromised. Within the last week, we have tracked nearly two dozen major data breaches that have collectively impacted tens of millions of Americans.
Think of it as Colorado's version of the General Data Protection Regulation (GDPR) in Europe. The law requires companies take a proactive approach to better manage the risks associated with data breaches, spear-phishing, ransomware and other cyberattacks.
According to the Strengthening Protections for Consumer Data Privacy Act, companies doing business in Colorado must create a security plan explaining how a customer's personal identifiable information (PII) is handled and set a procedure should a data breach occur. Companies must notify affected customers within 30 days in the event of a breach and may also have to notify Colorado's Attorney General. The law also requires companies have a written data retention and destruction policy and maintain reasonable security procedures. To support that goals, the State has made sample privacy and security policies available so anyone can get started immediately.
Data breaches don't just affect big businesses like T-Mobile, Sony or Equifax. The average cost of data breaches for small businesses stands at $690,000 and that figure can surpass $1 million for middle market companies. Not even startups are immune to data breaches: Sitter, a Boulder-based babysitting app, last week revealed nearly 93,000 customer records had been compromised. For businesses, the damage caused by data breaches can drive down stock prices, scare away investors and customers, irreparably damage reputations or customer confidence levels or worse.
Colorado's new law is an important step in securing sensitive personal information. But are companies, particularly small businesses, prepared?
While most corporations likely have resources and basic tools, our experience suggests that most small businesses have no idea that the new law is about to come into force, let alone possess the knowledge or resources to come into compliance with the law.
This is troubling on a number of levels.
So, what do companies need to do to come into compliance, and more importantly, how can they do it?
1. GET EDUCATED on the law and the commercially viable products that help ensure compliance. Try undertaking a security audit – some of which are available for just a few thousand dollars – to determine a risk assessment that will be unique to each company. If this seems expensive, consider the cost of dealing with a full-blown data breach.
2. ESTABLISH STRONG IDENTITY CONTROLS to ensure authorized individuals can access the right systems and data. Some of the most effective tools available include privileged access management, multi-factor authentification and single sign-on. Depending on the particular needs identified in the assessment, these simple controls can be installed in a matter of days or weeks and can serve as effective safeguards for sensitive data.
3. MAKE CYBER SECURITY A PRIORITY for your business. Not every firm needs to spend millions of dollars – but every business needs to allot time and resources for protecting themselves. In our combined 40 years of experience, we have seen firsthand the benefits of creating a specific budget for cybersecurity, identifying leadership to shepherd these initiatives and managing the risks in coordination with your business goals.
In our modern era, cybersecurity is the responsibility of every business. From customer expectations to assuring investors, the consequences of ignoring cybersecurity are real. We hope that this new law helps Colorado become the most secure state in America.
Cameron Williams is the co-founder and CTO of OverWatchID, a Denver-based identity security firm. Alex Kreilein is a managing partner of Darkfield, a cybersecurity investment platform and accelerator.