Presentation is loading. Please wait.

Presentation is loading. Please wait.

Colorado “Protections For Consumer Data Privacy” Law

Published byHendri Kurniawan Modified over 4 years ago

Similar presentations

Presentation on theme: "Colorado “Protections For Consumer Data Privacy” Law"— Presentation transcript:

1 Colorado “Protections For Consumer Data Privacy” Law
Kelly Schroeder - Bastion Technology Consulting

2 Introduction Who is Kelly Schroeder and Bastion Technology Consulting?
Over 15 years of IT security and compliance experience Managed Department of Defence compliance for contractor Implemented NIST SP What is House Bill : “Protections For Consumer Data Privacy”? Expands responsibilities of companies retaining information on Colorado residents Signed into law May 29th, 2018 Effective September 1st, 2018

3 What is a Covered Entity?
...a person...that maintains, owns, or licenses personal identifying information (PII) in the course of the person's business, vocation, or occupation… "Person" means an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or two or more thereof having a joint or common interest, or any other legal or commercial entity. Every business has the potential of being a covered entity

4 Personal Identifying Information (PII)
social security number PIN password pass code driver's license or ID card number passport number biometric data employer, student, or military ID number financial transaction device At a minimum every company who has ever taken an I-9 or W-2 has this information on their employees

5 Third Parties "Third-party service provider" means an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity. What tools do you use to store information that might fall under the law?

6 Third Party Management
Who is handling your customers’ PII? What are their written policies? How do you evaluate a vendor’s protection of your customers’ information? Do your agreements or contracts specify compliance?

7 Third Party Management (Continued)
Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices that are: appropriate to the nature of the PII reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction

8 Notifications 30 days after a determination that information was subject to “unauthorized access, use, modification, disclosure, or destruction” How Postal Mail Phone calls Notify the Attorney General’s office if more than 500 Colorado residents are affected

9 Notification - Personal Information
"Personal information" means a colorado resident's first name or first initial and last name in combination with any one or more of the following social security number student, military, or passport identification number driver's license number or identification card number medical information health insurance identification number biometric data username or address, in combination with a password or security questions and answers that would permit access to an online account account number or credit or debit card number in combination with any required security code, access code or password that would permit access to that account

10 Written Policy Document Retention (Electronic and physical)
Document Destruction “Reasonable Security Procedures and Practices” Employee Training Breach Detection Access Rights and Responsibilities Notification process

11 Reasonable Security Procedures and Practices
“...appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Encryption Firewall/Antivirus Passwords Mobile Devices

12 Now What? "Personal identifying information"
social security number PIN password pass code driver's license or ID card number passport number biometric data employer, student, or military ID number financial transaction device Discover what customer information you are storing and if it is PII Determine what, if any, PII is stored with third parties Examine your processes for how PII is stored and exchanged Create a written policy Obtain written third party PII policies Involve your IT team Contact Bastion Technology Consulting for further information or assistance

13 Thank you for your time! Any questions? Kelly Schroeder
Bastion Technology Consulting (970)

Download ppt "Colorado “Protections For Consumer Data Privacy” Law"

Similar presentations

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.

© 2014 Nelson Brown Hamilton & Krekstein LLC. All Rights Reserved PRIVACY & DATA SECURITY: A LEGAL FRAMEWORK MOLLY LANG, PARTNER, NELSON BROWN & CO.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.
What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.

What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.
HIPAA Health Insurance Portability & Accountability Act of 1996.

HIPAA Health Insurance Portability & Accountability Act of 1996.
April 23, 20101 Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts 617.526.9658.

April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Similar presentations

Ads by Google