Phil Weiser speaks at Data Privacy Day event

Attorney General Phil Weiser speaks at a Data Privacy Day event at the Ralph L. Carr Colorado Judicial Center on Jan. 28, 2020.

Speaking on Data Privacy Day to representatives of small and mid-sized businesses, Attorney General Phil Weiser repeated the mantra of “Mad-Eye” Moody, a professor in the Harry Potter book series: “Constant vigilance.”

“There are so many questions that have to be asked,” Weiser said. “How much data are you collecting? How are you collecting it? How long is it stored? Who has access to it? And what happens if outside parties get access?”

Wesier referenced a 2018 Colorado law, the Protections For Consumer Data Privacy Act, that requires businesses and government entities to maintain protocols for keeping and disposing of personal identifying information. The bill also established reporting requirements to individuals and — if more than 500 Coloradans are affected — the attorney general’s office in the event of a breach.

Still, he believed that further action, particularly on an internationally-agreed-upon enforcement mechanism, was necessary to coordinate responses to attacks from outside the country’s borders.

“One of the most frustrating parts of the current environment we’re in is the real bad guys, the hackers, often escape accountability,” Weiser said. “Most of those attackers and hackers don’t live in this country. And we are thus left asking intermediaries to build better protections, knowing that the bad guys are hard to get.”

Chief Deputy Attorney General Natalie Hanlon Leh disclosed that as of December 2019, 90 companies had reported security breaches to the attorney general’s office. The Consumer Protection Section of Weiser’s office has warned that older Coloradans are specifically at risk for fraud.

“I deal with bad guys who wake up every morning and think about the best way to trick old ladies out of providing their credit card number,” said Mark Bailey, the senior assistant attorney general.

At the Tuesday event, which was intended to provide education about state and federal cybersecurity and data privacy laws, Weiser announced a $500,000 grant to Colorado Northwestern Community College to launch a cybersecurity degree program.

“We know there are not enough cybersecurity professionals, particularly in more rural parts of our state. Particularly among public sector employers,” Weiser said. He added that he would like to see programs for loan forgiveness for cybersecurity graduates who commit to working in the public sector.

The money for the program is part of the $3.6 million that Colorado received in a settlement with credit reporting company Equifax. A 2017 data breach compromised the personal information of 2.5 million Coloradans, and 147 million people in total.

In 2018, California passed a landmark consumer privacy act that grants consumers the right to know what personal information is being shared or sold, as well as the right to delete their information and to opt-out of having their data sold by third parties.

“One of the larger questions that they’re pondering is whether consumers have a property right in their data,” said Karen White, executive director of the Conference of Western Attorneys General and the Attorney General Alliance.

Personal information under Colorado law means a resident’s first name or initial and last name in combination with a social security number, password, biometric data, financial account numbers, or medical information, among other components. The window for entities who are the target of a breach to notify consumers is 30 days.

A spokesperson for the attorney general said afterward that he has been speaking with state lawmakers about a new data privacy bill.

Philip Gordon, with the labor and employment law firm Littler Mendelson P.C., estimated during a panel discussion that 50% to 80% of security breaches result from “negligent or malicious insiders.”

“It’s a people problem as much as it is a technological problem,” he added.

Gordon described a security breach in which a company employee received a phishing e-mail. The employee clicked on the link, which gave hackers access to her 600-person e-mail directory, 400 of whom were coworkers. The hackers sent further phishing e-mails to those 400 individuals. Before the company’s IT department could react, 17 people fell for the scam and hackers gained access to two employees’ inboxes.

And in one of those accounts, the hackers were able to access “97,000 e-mails, 9,800 attachments, a spreadsheet with 7,900 current and former employees’ Social Security numbers, and 2,521 dependents’ social security numbers," Gordon said.

The costs of such a breach can be steep: there can be damage to relationships between a company and its employees or a company and its customers. Business partnerships may also be jeopardized. On top of that, a company will be looking at investigations and potential litigation.

“The more we have awareness, the more we have vigilance, the more we will earn the respect of ‘Mad-Eye’ Moody,” Weiser observed.

(0) comments

Welcome to the discussion.

Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.