When Colorado’s state legislature introduced their current consumer data privacy law back in 2018, it was hailed as one of the strictest in the country. Now that assessment feels quaint, as dozens of other states have passed — or are working on — data privacy laws that equal or surpass Colorado’s in terms of toughness.
Still, Colorado’s law — officially known as House Bill 18-1128 — places the burden of consumer privacy squarely on businesses, and opens the door to fines and lawsuits for non-compliance.
And, unlike other state laws such as California’s CCPA, the Colorado law doesn’t make any exemptions for small businesses.
Auto and truck dealers are especially susceptible to cyber attacks and data breaches. Dealers in Colorado should familiarize themselves with the law, ensure they are in compliance, and if not, take steps to update their cybersecurity as quickly as possible.
What does Colorado’s data privacy law entail?
House Bill 18-1128 contains three major provisions:
- Businesses that handle the personal identifying information (PII) of Colorado residents must have a written policy and active program for disposing of PII when it is no longer needed.
- Businesses must “implement and maintain reasonable security procedures” in order to protect PII.
- Businesses must notify affected consumers and the Colorado Attorney General of any data breach that meets certain requirements.
Here’s some more detailed info on the law from the Colorado AG’s office.
What does the law mean for dealers?
Because the law applies to any business in possession of consumer PII, all auto and truck dealerships in Colorado are subject to it.
On the whole, auto and truck dealers are less prepared for cyber attacks than other businesses, even though their sales, finance, and service departments contain treasure troves of PII.
In addition to potential fines, penalties, and lawsuits, dealers are also particularly susceptible to the reputational damage caused by data breaches. About 84% of consumers say that they would not purchase another car from a dealership whose data has been compromised.
You can learn all about the state of dealership cybersecurity here.
What are reasonable security procedures?
Like other data privacy laws, Colorado demands dealerships implement and maintain “reasonable” IT security measures, but doesn’t go on to define them. The idea is that each business has its own definition of “reasonable,” dependent on their size and industry.
At Helion, we’ve tackled this problem for auto and truck dealers. Starting with the CIS top 20 controls — widely accepted as the baseline for cybersecurity best practices — we developed a list of 10 essential IT security best practices for dealers.
We’ve made a detailed review of these best practices available for free.