Make sure your landscape company is protecting employee and consumer data Email
Written by Cherie Courtade   
Tuesday, September 11, 2018 03:00 AM

Data privacyOn September 1, 2018, Colorado’s updated data privacy law took effect. The law applies to all employers, regardless of employee count. The bill, which has been touted as one of the strongest consumer data protection laws in the US, establishes responsibilities on the part of business owners regarding handling of personal data and how to respond in the event of a data breach. 

House Bill 18-1128 passed the state legislature unanimously and was signed into law by Governor Hickenlooper on May 29, 2018. The law addresses issues around “personally identifiable information” or PII. It broadens the types of information that are considered PII (Social Security numbers, usernames/passwords, employee ID numbers). It also requires a business to notify those affected within 30 days of a data breach—the shortest timeframe of any state data privacy law. If more than 500 Coloradans are affected by the breach, then the company must also notify the state’s attorney general within 30 days. 

The law also covers storage and destruction of the data. It states that a business should “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” If a third-party stores that information on behalf of a business, the company must be sure that the third party maintains those security procedures and practices.  

Companies are also required to have, and adhere to, a written policy regarding the destruction of that PII once it is no longer needed. 

The Protections for Consumer Data Privacy Law does not offer explicit instructions on storage and destruction of data so that businesses of different sizes can develop a policy that fits the needs of their employees and customers. It means that a small business with a few employees is not required to implement the same costly—and possibly excessive—systems that a national or international corporation must use. 

So how does a company decide what it needs to do? First, it is recommended that business owners speak with an attorney or other agent to help them be sure that they are in compliance. Internally, they can perform a simple audit to prepare by documenting: 

  • what type of information they store about their customers 
  • how they store it (electronically? on paper?)  
  • how secure is its system to protect against breaches (Dropbox, for example, is not secure), and  
  • who gets access to such information. 

Official bill summary: Except for conduct in compliance with applicable federal, state, or local law, the bill requires covered and governmental entities in Colorado that maintain paper or electronic documents (documents) that contain personal identifying information (personal information) to develop and maintain a written policy for the destruction and proper disposal of those documents. Entities that maintain, own, or license personal information, including those that use a nonaffiliated third party as a service provider, shall implement and maintain reasonable security procedures for the personal information. The notification laws governing disclosure of unauthorized acquisitions of unencrypted and encrypted computerized data are expanded to specify who must be notified following such unauthorized acquisition and what must be included in such notification. 

Read more in this issue of Colorado Green NOW:
Greenhouse management and landscape maintenance at July teacher training
McCord adding no-penalty cancellation clauses to contracts
Green Mountain Pathways grad enters teacher pipeline at CSU
OSHA releases training videos and FAQs for silica dust standard