Current through Register Vol. 47, No. 20, October 25, 2024
Section 4 CCR 904-3-6.09 - DUTY OF CAREA. Personal Data must be Processed in a manner that ensures reasonable and appropriate administrative, technical, organizational, and physical safeguards of Personal Data collected, stored, and Processed.B. When determining reasonable and appropriate safeguards, Controllers should consider: 1. Applicable industry standards and frameworks;2. The nature, size, and complexity of the Controller's organization;3. The sensitivity and amount of Personal Data;4. The original source of Personal Data;5. The risk of harm to Consumers resulting from unauthorized or unlawful access, use, or degradation of the Personal Data; and6. The burden or cost of safeguards to protect Personal Data from harm assessed in 4 CCR 904-3, Rule 6.09(B)(5).C. Reasonable and appropriate administrative, technical, organizational, and physical safeguards must be designed to: 1. Protect against unauthorized or unlawful access to or use of Personal Data and the equipment used for the Processing and against accidental loss, destruction, or damage;2. Ensure the confidentiality, integrity, and availability of Personal Data collected, stored, and Processed;3. Identify and protect against reasonably anticipated threats to security or the integrity of information; and4. Oversee compliance with data security policies by the Controller and Processors through reasonable requirements.D. Reasonable and appropriate administrative, technical, organizational, and physical safeguards to secure Personal Data include but are not limited to those measures provided by C.R.S. § 6-1-713.5 and C.R.S. § 24-73-102, as interpreted by state courts and administrative orders.46 CR 06, March 25, 2023, effective 7/1/2023