What Businesses Need to Know About House Bill 1128

Earlier this year, we learned political data firm Cambridge Analytica gained access to private information on more than 50 million Facebook users — a story that dominated the news cycle for weeks. Users and Congress demanded an answer on how Facebook and others planned to keep their data secure.

But protecting consumer data has been a hot-button issue for several years. Many state governments are only now starting to catch up. On Sept. 1, Colorado joined some of the strictest states in the nation by protecting personally identifiable information (PII).

With unanimous approval in the state legislature, House Bill 1128 requires every enterprise and state government entity – known in the bill as a “covered entity” – with Colorado resident PII to have a data-protection policy, a 30-day notification system and a means to destroy any data that is no longer needed.

While the new law should be easy for Fortune 500s doing business in Colorado that already must meet standards for Europe’s General Data Protection Regulation (GDPR), the legislation stipulates that any enterprise handling Colorado resident PII must be compliant, including the smallest of small businesses. These businesses are unlikely to have the security infrastructure that larger organizations build into their security operations center (SOC), but it’s important they’re equipped with similar tools to handle data breach threats, potential breaches and the strict notification requirement.

WHAT DO COVERED ENTITIES NEED TO KNOW ABOUT HOUSE BIL 1128?

House Bill 1128 is an expansion of Colorado’s existing Consumer Protection Act.

Where that focuses on protecting consumers from a variety of unfair and deceptive business practices, the new House bill focuses on protecting PII, redefined to include a name plus another identifier, such as “a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; biometric data; an employer, student, or military identification number; or a financial transaction device [i.e. credit or debit card number].”

Additionally, a company required to be compliant, known as a covered entity, is defined as responsible party “that maintains, owns or licenses personal identifying information in the course of the person’s business, vocation or occupation.”

This means the law not only affects Colorado-based businesses, but any business with Colorado resident PII. While larger corporations have already had to meet the May 25, 2018 deadline for GDPR compliance in Europe, smaller enterprises may not be prepared.

Here are three things businesses have to have in place as of Sept. 1:

• A policy outlining how they are going to protect PII.
• A policy on PII retention and destruction.
• A policy and procedure on how to ensure they stay within the strict, 30-day notification window.

What’s specifically notable is the 30-day notification window, which is one of the shortest in the world.

While House Bill 1128 does not spell out a specific penalty for compromised companies, the attorney general is empowered to compel them to take responsibility for and cover the economic damages of a breach.

This has the potential to enhance the already costly and damaging nature of a breach for businesses.

Without the proper tools to detect, investigate and respond to a threat or breach, businesses are unlikely to remain compliant, and bolstering an organization’s cybersecurity with talented professionals can be difficult and expensive. This is where security automation technologies, such as security orchestration, automation and response (SOAR) can be helpful.

WHAT DO COVERED ENTITIES NEED TO KNOW ABOUT DATA BREACHES?

The bill defines a security breach as “the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality or integrity of personal information maintained by a covered entity.” Breaches can include malicious outside activity, such as phishing or malware, but can also be –­ and often are – inside jobs. At this point, many enterprises have adopted the thinking that being compromised is not a matter of if but when, and protecting an organization is not easy. 

Organizations with valuable data are regularly and systematically targeted. In many circumstances the breaches that make headlines did not happen because an organization had no infrastructure, but because the security operations team was unable to review the alerts that could have warned of a potential breach. This means that organizations should look for ways to implement systems that can assist their security teams with high volumes of attack attempts. The enterprise’s goal is not to implement perfect security – which is impossible – but to make the level of effort and cost for attackers high enough that it’s not worth the breach attempt.

HOW CAN COVERED ENTITIES PROTECT THEMSELVES AND CONSUMER PII?

Automation technologies like SOAR increase an organization’s security efficiency and efficacy. SOAR creates a streamlined method for detecting and responding to threats by leveraging the enterprise’s existing people, processes and technologies. At machine speeds, SOAR combines comprehensive data gathering, case management, standardization, workflow and analytics to provide an organization the ability to implement sophisticated defense-in-depth capabilities. Meaning, SOAR automates and orchestrates repetitive and manual tasks without requiring human interaction. At a time when security professionals are limited and expensive, automation can benefit the security capabilities of any sized-business, including small startups still operating out of the home.

Additionally, automation and orchestration allow security analysts and engineers the time to use their specialized skills on higher value tasks, such as critical investigations and proactive threat hunting. This lowers the risk of a breach and increases employee satisfaction and reduces costly turnover.

Sometimes also referred to as security automation and orchestration (SAO), SOAR empowers an organization to stop a breach in its tracks, and it also makes it possible to notify Colorado residents of possibly compromised PII within the strict 30-day window.

Colorado joins states like California, Delaware and Utah leading the way in regulation to protect consumer PII, and others are likely to follow. As bad actors continue to increase their sophisticated attack attempts, companies need to come to terms with the fact that a breach investing in adequate protection is simply the cost of doing business.

Enterprises and state government entities, large and small, should use the enactment of House Bill 1128 as an opportunity to arm themselves against bad actors and enhance their SOC, security processes and notification policies. Doing this will not only help them remain compliant but will also help prepare for the inevitable future of strict regulations world-wide and continued security threats.

Cody Cornell is the CEO and co-founder of Swimlane, a Louisville-based security automation platform.
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; -webkit-text-stroke: #000000}
span.s1 {font-kerning: none}