(1) (a) The general assembly hereby finds, determines, and declares that:
(I) An important function of state government is to protect state records containing trusted information about individuals, organizations, assets, and activities from criminal, unauthorized, or inadvertent manipulation or theft;
(II) In 2017, the cyber threat to the Colorado government included six to eight million attempted attacks per day;
(III) Unsecured public records are valuable targets for identity thieves and hackers with the intent to steal or penetrate corporate records. In addition, there are increasing threats to the theft of personal privacy information within government data and a growing number of threats to networks, critical infrastructure, and private data and devices.
(IV) It is crucial to design a framework to identify solutions to prevent unauthorized external disclosures, protect privacy and confidentiality, and prevent inadvertent releases of information;
(V) The expanded use of distributed ledger technologies, such as blockchains, may offer transformative improvements to data security, accountability, transparency, and safety across dispersed state departments and jurisdictions;
(VI) Local, regional, and national agencies are charged with maintaining records that include birth and death dates, information about marital status, business licensing, property transfers, or criminal activity. Managing and using these data can be complicated, even for advanced governments. Some records exist only in paper form, and if changes need to be made in official registries, citizens often must appear in person to do so. Individual agencies tend to build their own isolated repositories of data and information-management protocols, which preclude other parts of the government from using them.
(VII) Distributed ledger and blockchain technologies are rapidly evolving for every sector of the marketplace as it offers unique solutions to support connection of society, technology, and finances by supporting the mapping of human action to transactions performed on the internet;
(VIII) Distributed ledgers provide the capability of openly traceable transactions while maintaining the privacy of each person performing the transactions;
(IX) Government programs using distributed ledger technologies, such as blockchains, can offer the ability to control functionality, track transactions, verify identities, support uniformity, resist tampering, enable logistical control for large numbers of participants, protect privacy, and support accountability and auditing;
(X) Distributed ledger technologies can provide or increase the following benefits:
(A) Enable the state to reduce fraud and malicious infiltration of state-controlled programs by creating an auditable visibility for all transactions and the people who perform them;
(B) Reduce false communications from computing devices, which can provide data to pursue appropriate enforcement actions. Data with proof of origin would be able to be used to track forensic chain of custody for use in courts of law.
(C) Support verification of authorized users, organizations, distributed computing devices, and nonrepudiation of the actions of parties participating in virtual transactions;
(D) Reduce spoofing of devices, falsification of data received from regulated or control devices, and drastically reduce or eliminate the threat of malware installed on devices used statewide;
(E) Better protect personal privacy information;
(F) Create global visibility while maintaining the confidentiality and privacy of individual organizations and users;
(G) Reduce state government expenditures and costs as a result of the visibility of transactions gained from the open nature of blockchain-enabled programs;
(H) The ability to adopt distributed ledger-enabled platforms for computer-controlled programs, data transfer and storage, or regulation programs that would be needed or used by the state. These would also enable transaction-based revenue generation and return on investment for state programs.
(I) Provide quantifiable risk and quality rating capability for all organizations, agencies, and insurance providers, giving the ability to set premiums and reward or enforce punitive controls on organizations based on their quality performance over time. Positive action to mitigate risk should lower state civil liabilities, lower insurance costs, and lower state vulnerability to adverse litigation.
(J) When authorized, provide a revenue generation stream for the state by the sale of transactions, fees, and memberships to private organizations for use of state-owned operational blockchain or distributed ledger platforms. A distributed ledger-enabled platform may allow the sale of trusted components and continued transaction-based returns on investment on an ongoing basis.
(K) Enforce Colorado governance requirements and laws, thereby protecting legal and legitimate distribution of controlled substances to protect state revenue streams received by taxation of controlled substances.
(b) The general assembly further finds, determines, and declares that the intent of this section is to allow and encourage the office of information technology, the office of the chief information security officer, departments, and agencies to identify and implement distributed ledger technologies, such as blockchains, whenever appropriate, rather than to mandate specific solutions. In addition, the intent of this section is to encourage the office of the chief information security officer to coordinate cross-jurisdictional standards and procedures, especially among state departments and agencies and among counties and municipalities when appropriate.
(2) The office of the chief information security officer shall identify, assess, and mitigate cyber threats to state government. In furtherance of this responsibility, the chief information security officer shall, on an annual basis and through annual public agency enterprise cybersecurity plans, collect information from all public agencies as defined in section 24-37.5-402 (9) to assess the nature of threats to data systems and the potential risks and civil liabilities from the theft or inadvertent release of such information. Institutions of higher education and the general assembly may provide the information specified in this subsection (2) to the chief information security officer.
(3) In coordination with the Colorado cybersecurity council created in section 24-33.5-1902, and in partnership with the office and the government data advisory board created in section 24-37.5-703, the office of the chief information security officer is encouraged to assess the data systems of each public agency for the benefits and costs of adopting and applying distributed ledger technologies such as blockchains. The office of the chief information security officer is encouraged to consider program losses due to potential malicious attack, transactional errors, or fraud as possible savings achievable from visibility gained through distributed ledger platforms. The office of the chief information security officer is encouraged to develop and maintain a series of metrics to identify, assess, and monitor each public agency data system on an ongoing basis for their platform descriptions, vulnerabilities, risks, liabilities, appropriate employee access control, and the benefits and costs of adopting encryption and distributed ledger technologies. The office of the chief information security officer is also encouraged to consider the cost-avoidance benefits and the positive benefits of reducing litigation risks or the costs of state insurance against state legal liabilities.
(4) The office and the office of the chief information security officer shall consider developing public-private partnerships and contracts to allow capitalization of encryption technologies, while protecting intellectual property rights.
(5) In communication between multiple parties, the office and the office of the chief information security officer are encouraged to ensure that platforms incorporate the nonrepudiation of participating entities in virtual transactions. Due to the inherent lack of positive identification between parties communicating over the internet, secure communication systems should be designed to assure that each sender of data is provided with proof of delivery and that the recipient of data is provided with proof of the sender's identity to ensure that the integrity of the communications can be trusted, that each communication is accountable and auditable, and the communicators cannot deny that their communications took place. This is technically called nonrepudiation, in compliance with federal guidelines and industry best practices.
(6) A county or municipal government shall not:
(a) Impose a tax or fee on the use of distributed ledger technologies by any private person or entity; or
(b) Require any private person or entity to obtain from any public agency any certificate, license, or permit to use distributed ledger technologies.
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal insurance products you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with access to legal services through a network of provider law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our provider law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your provider law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal insurance products, and access to the LegalFix network of provider law firms are subject to the LegalFix Terms of Service and Privacy Policy.
