Your Questions About New U.S. State-Level Data Protection Laws Answered

This year, at least 11 U.S. states passed new or updated laws, with several specifically focused on data breach notification and data protection. From Alabama implementing its first data breach notification law to California passing its Consumer Privacy Act and Virginia updating its breach notification law to incorporate tax information, states have led the way when it comes to data protection legislation in the U.S. Colorado, LogRhythm’s home state, is one of the most recent ones to do so. And whether or not you’re located in Colorado, you should take note of these changes — as your own state may have implemented similar laws (or will soon).

These new laws and updates to existing laws come as part of 2018’s data regulation star: the General Data Protection Regulation (GDPR). Following its adoption in the EU — and the attention it drew throughout other parts of the world — the U.S. has begun establishing similar laws essentially as a “catch all” to fill in security gaps that existing state-level regulations may not address. So even if you’re a private organization that has never needed to comply with existing mandates, you may have to now.

What’s Changed in Colorado’s Protection for Consumer Data Privacy Act?

Colorado’s Protection for Consumer Data Privacy Act took effect Sept. 1, 2018. This new act included two primary updates to existing laws and the addition of an entirely new law.

Update: Written Policies for Personally Identifiable Information (PII) Disposal

Local businesses already had to abide by a law mandating the disposal of PII. With the update, however, organizations must now also maintain written policies that specify the process for disposing both paper and electronic records containing PII.

Update: Detailed Breach Notifications

Like the first update, Colorado law already dictated that businesses provide breach notification. But the new law specifically requires that breached organizations provide detailed notification directly to affected Colorado residents and, depending on the nature of the breach, potentially to the Attorney General as well as the three major credit reporting agencies. The notification timeframe was amended to what is now the most stringent of all 50 states (tied with Florida) — “thirty days after the date of determination that a security breach occurred.” Finally, the new bill expanded the existing definition of personal information and added new content requirements for notice letters.

New: Protecting PII

While it wasn’t on the books before, affected businesses must now implement and maintain “reasonable security measures to protect PII.” What Colorado considers “reasonable” depends on the type of organization you operate and the types of PII you manage. The organization must also take measures when transferring PII to third-party service providers and “shall require” that these providers have reasonable security measures in place.

If I Comply With Another (Inter)national Mandate, Do I Automatically Comply With These Laws? How Do International Standards Impact State-Level Data Protection Laws?

The short answer: it depends. On the one hand, regulations like GDPR can be stricter than existing U.S. regulations. For instance, GDPR normally has more specific requirements for post-mortem breach documentation. And in certain cases, complying with state or federal regulations may satisfy some of Colorado’s data protection requirements. When it comes to companies already in compliance with existing frameworks, those that have taken the necessary steps to be compliant with GDPR, ISO 27001, and/or NIST SP 800-53 have covered the majority, if not all, of the technical controls mandated by state laws and should focus on the details of their individual state’s requirements for adherence.

However, compliance is not guaranteed. For example, depending on the situation, organizations are permitted 60 days to provide notice of a breach and still comply with the Health Insurance Portability and Accountability Act (HIPAA). As noted above, for the most part, organizations that must comply with the Colorado laws must provide notice within 30 days. So simply because HIPAA is a well-established, national regulation does not mean complying with it guarantees that you will comply with Colorado’s laws.

During your organization’s preparation for compliance, consult legal counsel about your state’s laws to confirm scope of coverage. Variances exist between states’ and industries’ laws and regulations.

What Do I Do Now?

Automate Your Compliance

Whether this is simply the latest in a series of regulations you have to comply with, or the first time you’ve ever had to demonstrate compliance, the first thing you should do is make sure you have the proper tools in place to help automate your compliance as much as possible. You don’t want to rely on manual activities; they will take more time than you’re likely able to allocate. But more importantly, manual work is more likely to result in mistakes. Many regulations require you to use technology, processes, and procedures to support data protection because of this inherent risk.

Security information and event management (SIEM) solutions can satisfy this so long as they provide you with the tools and content necessary to support compliance quickly, easily, and automatically. At LogRhythm, we give customers access to several compliance modules that include prebuilt rules, lists, reports, and other content that map to individual controls, frameworks, and standards. For example, our Health Care Compliance Automation Suite includes rules specifically designed to support HIPAA objectives related to physical safeguards (e.g., §164.310); Health Information Technology for Economic and Clinical Health (HITECH) objectives related to audits (e.g., §13411); meaningful use measures for eligible professionals, eligible hospitals, and critical access hospitals (e.g., §495.6); and more.

Our Approach

Our compliance modules are based on our Consolidated Compliance Framework (CCF), which helps LogRhythm customers support dozens of compliance mandates easily and efficiently. We’re constantly adding to this content, and we plan to release content specific to the new Colorado regulations as well as other state-level standards and publications in the next few months (stay tuned for updates). By applying our CCF methodology to our analysis of every state’s data protection laws, we found commonalities amongst the broadly written legislation. These commonalities exist amongst many individual state’s laws. They include destruction of PII, protection of PII, and timely notification of security breaches, all of which naturally pair with SIEM capabilities and LogRhythm’s existing content. While all LogRhythm content will be useful in compliance with any state’s data protection laws, we have a few instant wins for any organization:

  1. Be prepared with detailed historical audit history and real-time log alerts. This helps build a complete understanding of the security event and can help define next steps in accordance with the law.
  2. Proactively monitor your entire environment – specifically access, modifications, and deletion of PII – through file integrity monitoring, data loss prevention, user access management, anomalous activity alarms, and other pre-existing LogRhythm content.
  3. Leverage LogRhythm’s AI Engine rules and case management functionality to alert on breaches and help reduce your mean time to detect (MTTD) and mean time to respond (MTTR). This will result in a shortened mean time to notify (MTTN) affected consumers and authorities.

If our customers have specific requirements, they can always modify our content to fit their organization’s policies and environment leveraging their existing resources. That way, they don’t have to start from scratch, thereby reducing the cost of managing and adhering to compliance controls.

Familiarize Yourself With the Laws

It goes without saying that if your company is based in Colorado, you need to familiarize yourself with the state’s Consumer Data Protection Laws and recent changes. The Attorney General’s office posted some FAQs online, but it’s important to make sure you know exactly what applies to you and what you need to do to comply.

If you’re not in Colorado, it’s still worth reviewing these laws, as they could foreshadow what’s to come in your state. While other state laws may not be as strict as Colorado’s laws now, they could be soon. Make sure you double-check your own state’s data laws to ensure nothing has changed recently. As of today, all 50 states have data breach notification laws, 32 states have data disposal laws, and 21 states have data security laws.

Compliance is Complicated

Maintaining compliance is complicated, but it doesn’t have to be so challenging. There are people and organizations available to help you stay informed about the latest regulations. Incorporating a trusted tool to help monitor and automate compliance activities can make or break an audit. So it’s crucial to assess both your legal and technical landscapes now so you don’t risk paying a steep fine later.