Colorado requires businesses to take reasonable steps to protect consumer data under both the Colorado Consumer Protection Act and its landmark new data privacy law, the Colorado Privacy Act (CPA). The CPA (which we covered in detail  here) comes into force on July 1, 2023,1 but businesses need not wait to take steps to protect data from potential breaches and attacks. Colorado Attorney General (AG) Phil Weiser recently released guidance that outlines best practices for safeguarding data that both private-sector and governmental entities can implement now.

The guidance advises entities to adopt the following nine practices:

1. Inventory types of data collected and establish systems to store and manage data.

Entities should take stock of all data that they collect and store, as well as the source and purpose of collection. From there, entities should develop written policies for data retention and destruction, along with limits on how long personal data will be retained.2

2. Develop a written information security policy.

Data minimization, access control, password management and encryption are crucial components of an information security policy, and entities should also consider any industry-specific rules applicable to the type of information being collected.3

3. Adopt a written data incident response plan.

A data incident response plan lays out the steps an entity will take if it becomes subject to a data incident, such as a data breach or cyberattack. The AG advises that incident response plans should be available in paper form in case a cyberattack jeopardizes computer access.4

4. Manage vendors' security.

Protecting data requires managing risks presented by other parties with access to an entity's systems, including third-party vendors. Once in effect, the CPA will require entities to secure certain contractual obligations regarding data security from vendors processing personal information.5

5. Train employees to prevent and respond to cybersecurity incidents.

Similarly, entities should train their own employees on how to protect against phishing attacks by preparing them to identify and flag suspicious emails and network activity.6

6. Follow the Department of Law's ransomware guidance.

The Colorado Department of Law has separately issued guidance to entities facing increased threats of ransomware attacks. Among other things, entities are encouraged to quickly patch systems and make systems updates, test incident response plans and keep backups of system data. In the event of a ransomware attack, having accessible backups will ensure an entity can still operate even if its system has been rendered inaccessible due to encryption.7

7. Notify affected individuals and the Colorado AG of a breach, as required under law.

If an entity finds its network has been accessed by an unauthorized user, it should first conduct an investigation. If the entity concludes that personal information has been or is likely to have been misused, it has 30 days to notify affected Colorado residents, and must also notify the Colorado AG if 500 or more Coloradans are affected.8

8. Protect individuals affected by a data breach from identity theft and harm.

This may include compensating victims of a breach or undertaking other remedial measures, such as providing victims with access to free credit report monitoring.9

9. Review and update security policies regularly.

Data collection and data storage practices may need to be updated to respond to the constantly changing risks to personal information. Policies on data retention, data security and incident response should be reviewed regularly with this in mind.10

More and more State Attorneys General are issuing cybersecurity guidance, including the New York Attorney General's recently issued report on credential stuffing attack patterns and how to defend against them. These guidelines further underscore the importance of regularly implementing, testing and updating data protection and cybersecurity practices.

Please contact a member of Akin Gump's cybersecurity, privacy and data protection team if you have any questions about this guidance or any of the outlined data security practices.


1  C.R.S. §§ 6-1- 713.5, 716; "the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures." §§ 6-1-1305(4), (5).

2  CO. Off. of the Attn'y Gen., Data Security Best Practices (February 14, 2022), available at

3  Id. at 3.

4  Id.

5  Id. at 4.

6  Id.

Id. at 5.

8  Id.

9  Id. at 6.

10 Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.