Colorado’s recently passed breach notice law, which goes into effect on September 1, includes a data security requirement. This mirrors the change to the Louisiana breach notice law we reported about yesterday. Under the law, companies will need to have “reasonable” security practices and procedures that protect personal information. Personal information is defined as social security numbers, personal identification number, a password or pass code, state ID numbers, and biometric data. The law also will require companies to ensure that third parties with whom they share personal information have reasonable security protections.
Putting it Into Practice: Companies should keep in mind the growing number of state law requirements to protect information when developing and maintaining their information security programs. Here, the Colorado requirements around vendors are particularly useful to keep in mind.