Prepared Remarks: Conference on Data Privacy and Cybersecurity Compliance Toolkit for Small Businesses at the Colorado Department of Law (Jan. 28, 2020)

I want to thank all of you for joining us at the Colorado Attorney General’s Office for an important discussion on cybersecurity and data privacy. Today is, as many of you know, National Data Privacy Day. Please join me in thanking the Attorney General Alliance, and the National Cybersecurity Center for co-sponsoring this conference. You are both great partners and a pleasure to work with.

In my remarks, let me touch on a few important themes we are all wrestling with as we face a new frontier. First, let me discuss why I think data privacy and cybersecurity presents a unique set of challenges. Second, let me discuss a bit about what Colorado is doing in this area. Finally, let’s talk a bit about the challenges of finding qualified personnel in this field, particularly in the public sector.

The “Constant Vigilance” Mindset and A New Framework for Public Policy

When I talk about cybersecurity threats and the challenges of data privacy, I often invoke the case study of “Mad Eye Moody,” the Harry Potter character. As Harry Potter fans recall, Mad Eye Moody was one of the several professors of Defense Against the Dark Arts.  In his teaching, his mantra was “constant vigilance.”  And that is, in short, the mindset we need in approaching these issues.

For those companies and organizations who collect and control data, Mad Eye Moody should be an inspiration. For governments looking to oversee data management practices, Mad Eye Moody is a caution—be careful about prescriptive requirements that could lead to a ”check the box” mindset and actually undermine sound data security practices.

The set of issues around data privacy and security are multi-fold— what type of and how much data is collected, how is it stored, how long is stored, who has access to it, and what happens if personal information is disclosed to outside parties.  Too often, businesses have collected data because they can do so, not asking whether it is necessary, whether consumers knew it was being collected, and whether it was stored soundly.  Other times organizations had lax data security practices, providing too much access to irresponsible contractors, not installing basic protections, and keeping sensitive information for longer than necessary. The rise of Chief Privacy Officers and Chief Security Officers has made a positive impact on these challenges, but we still have considerable work to do.

In this conference, we will approach not only the legal and regulatory requirements governing data privacy and cybersecurity, but also work to provide guidance to organizations on how to handle critical incidents. For starters, we will review the emerging threats, including a range of social engineering practices and ransomware. We will also discuss how to build stronger organizational awareness and build a culture of compliance worthy of Mad Eye Moody’s respect. And to help drive these points home, the National Cybersecurity Center will lead a case study on lessons learned for incident response.

The State of Data Privacy and Cybersecurity Law in Colorado

A couple of years ago, the Colorado General Assembly clarified and enhanced our data breach notification and data disposal laws, as well as required companies to employ reasonable security procedures and practices.[1] As we work to implement this law, we are focused first on educating businesses about what constitutes reasonable security, including using forums like this one.  For companies that flagrantly ignore their obligation to keep personally identifiable information secure, however, we are ready to take appropriate enforcement action.

Over this legislative session, there is increasing discussion of the value of passing a Colorado data privacy law.  In the wake of California’s law taking effect, and no action on the federal level, it is indeed incumbent that states consider what measures are most appropriate to protecting consumers. I am looking forward to supporting those conversations and ensuring that Colorado can develop an effective regulatory regime that calls on companies to act appropriately, without setting prescriptive requirements that can become outdated or unduly burdensome efforts that do not generate enough benefits to be worth the effort.

Building A Strong Cybersecurity Team

As the leader of a large organization, I am very familiar with the challenges of developing sound cybersecurity practices. At the Attorney General’s Office, we have set up an interdisciplinary Data Privacy and Security Impact Team. The Team is comprised of InfoSec experts, attorneys, and members of my leadership team.  Together, they tackle issues ranging from our own obligation to keep data secure, the role we play in incident response on behalf of state agencies, to our obligation to oversee company practices. The leaders of this Impact Team are here today and we look forward to learning from today’s presentations and building valuable partnerships.

One challenge we hear again and again is the challenge in finding and recruiting talented professionals in this area. I had the unfortunate—and not unfamiliar—experience of hiring a cybersecurity professional and losing him to another employer within several months. This is a challenge for our whole state and, as I can attest, the challenge is even greater in the public sector.

To meet this challenge, I’m excited to announce new initiatives made possible through recently received funds from a settlement with Equifax, in which Equifax was held accountable for failing to protect consumers’ information. With these funds, we have an opportunity to improve cybersecurity here in Colorado. One area of focus will be supporting outreach and education efforts like today. Another such effort will be investing in cybersecurity education efforts.

To that end, I’d like to announce our office’s first grant to support cybersecurity education. We will be giving a multi-year grant to the Colorado Northwestern Community College in Craig. We will be granting them $500,000 over three years to establish a cybersecurity degree program, with a plan for the program to be self-sustaining by year four.  During a recent visit there, I had the opportunity to talk about their interest in setting up a cybersecurity program, and I saw the innovation mindset so prevalent in our community college system, along with the sense of responsibility for the community.  Given the shortage of professionals in this field and the economic challenges faced in Northwest Colorado—especially given the planned closure of a local power plant and coal mine—I was keen to support this model proposal to bring cybersecurity expertise and training to Northwest Colorado.

Finally, in a step related to, but separate from, the grant to CNCC, we are also exploring the possibility of loan repayment programs targeted at those graduating in cybersecurity programs who go to work in the public sector. For those with ideas and interest on this front, please let us know. From election security to managing personal information, we all have an interest in ensuring that Colorado governments have the cybersecurity expertise they need. Together, we will confront our cybersecurity challenges, including supporting governmental employers in getting the professionals they need to serve and protect the people of Colorado.

Conclusion

We are in the early stages of major changes in our economy. The emerging digital economy is powered by data and data collection, storage, and analysis, and it comes with a series of challenges that we need to be prepared to confront together.  I believe that we in Colorado will play an important part in such efforts to realize the great promise of our constantly-changing, constantly-connected world, and I look forward to working with you.

Thank you for your engagement and I look forward to your thoughts and questions.

[1] Colorado House Bill 18-1128 – Concerning Strengthening Protections for Consumer Data Privacy, (Colo. 2018), available at https://leg.colorado.gov/sites/default/files/2018a_1128_signed.pdf.