Colorado New Data Disposal Law Requires Data Destruction and Written Policies
August 21, 2018
“As is usually the case,” says i-SIGMA CEO Bob Johnson, “NAID members ready and able to react to the new Colorado data destruction law stand to reap major benefits.”
In less than two weeks, on September 1, Colorado’s House Bill 18-1128 requires any firm doing business with its citizens to have formal data security and data disposal programs, Including written policies. Like the new GDPR in Europe and the new Consumer Privacy Act in California, the law extends outside the state’s borders, applying to any and all organizations doing business there… regardless of where they are located.
Included among the prescribed requirements of the new law are:
- An expanded definition of Personal Identifying Information (PII)
- A clear requirement to have written disposal policies
- A clear legal obligation to verify the compliance and security of data destruction service providers
When asked to define “ready and able,” Johnson said, “First, it means being able to verify regulatory compliance and operational security. Second, it means going to customers proactively to help them write the required disposal policy. This will require the customer to look at all their destruction needs, which, in turn, leads to greater demand. It also makes sure a competitor doesn’t beat them to it. Lastly, it means having the wherewithal to reach out to prospective customers, often taking them away from service providers who are not responding.”