Colorado Law Tightens Data Breach Notification Rules
Colorado has substantially tightened reporting requirements for organizations hit by a data breach and firmed up measures to protect consumers’ confidential information.
Gov. John Hickenlooper signed off on the new bill, HB18-1128, which goes into effect on September 1, 2018 and creates a new statute, C.R.S. § 6-1-713.5, entitled Protection of Personal Identifying Information. The law amends existing statutes on the disposal of personally identifiable information (PII) and breach reporting. The legislation, which also applies to state government agencies, includes the following:
- Upgrades data security procedures and practices.
- Broadens the type and amount of PII that organizations are obliged to report as stolen or compromised.
- Mandates the type of information to be included in consumer notifications of a breach.
- Sets a deadline for organizations to notify affected consumers of a breach.
Colorado Data Privacy & Breach Notification Law: Deeper Details
Here’s a drill down (via HB18-1128 and the BakerHostetler law firm’s Data Privacy Monitor):
PII disposal: A “covered entity” (a person that maintains, owns or licenses PII, either in paper or electronic form in the course of conducting business) must have as a written policy that the information will be destroyed by “shredding, erasing or otherwise modifying” it to make it “unreadable or indecipherable” when it is no longer needed.
New security procedures and practices: A covered entity that maintains, owns or licenses PII of a Colorado resident must “implement and maintain reasonable security procedures and practices” to protect the data from “unauthorized access, use, modification, disclosure or destruction.” It must also require third-party providers to do the same.
Breach notification obligations: The new law widens the definition of PII to include items such as medical and health insurance information, biometric data, usernames and emails, and passwords, that consumers must be told has been stolen. Under the new requirements, third-party providers must notify covered entities as quickly as possible on the types of PII that has been compromised. Notification of a security breach to Colorado residents must be accomplished within 30 days of the event, “in the most expedient time possible and without unreasonable delay.” In cases where Colorado’s bill conflicts with federal law, the regulation with the shortest time frame” takes precedent.
Colorado Data Breach Notification Law: Disclosure Timing
The notice must include the date, estimated date, or estimated date range of the security breach, a description of the stolen personal information, how to contact the organization and directions to change their password and security questions or other necessary steps to protect their online accounts. In addition, if the security breach affects more than 500 Colorado residents, notification must also be sent to the state’s attorney general.
HB18-1128 places Colorado among the group of states with the strictest data breach laws. For example, Florida has enacted statutes similar to Colorado’s, and late last year New York Attorney General Eric Schneiderman introduced the “Stop Hacks and Improve Data Security Act” legislation to require companies to implement certain safeguards to protect collected and stored consumer data.
BakerHostetler has compiled a document detailing state-by-state breach notification laws along with key data security issues.