Colorado’s Gov. John Hickenlooper signed a bill that significantly strengthens its current data breach notification requirements and adds new measures designed to enhance protections for consumer data privacy. The new law will go into effect on Sept. 1, 2018.

Disposal of personal identifying information

As previously discussed here (while the bill was in committee), HB18-1128 creates more stringent requirements regarding the disposal of personal information. Under C.R.S.A. § 6-1-713, all “covered entit[ies] in the state that maintain[] paper or electronic documents during the course of business that contain personal identifying information” will be required to develop a written policy for the destruction or disposal of such information once such documentation is “no longer needed.”

New requirement to implement reasonable security procedures and practices

For the first time, under new Section 6-1-713.5, a person (as defined in Section 6-1-201(6)) who “maintains, owns, or licenses personal identifying information of an individual residing in [Colorado] shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” The new law also requires data owners, maintainers, and licensors to flow down appropriate security measures in contracts with third-party service providers that receive personal identifying information from the covered entity and that are maintaining, storing, or processing that data on behalf of the covered entity.

Expanded data security breach notification obligations

Personal information: Under the existing law, Colorado defined personal information as “a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: (A) Social security number; (B) Driver’s license number or identification card number; (C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.”

Under the new law, the definition of personal information remains the same (although with a slight change to data element “C”), but now also includes the following data elements: (1) student, military, or passport identification number; (2) medical information; (3) health insurance identification number; (4) biometric data; and (5) a username or email address, in combination with a password or security questions and answers, that would permit access to an online account.

Timing: Colorado joins Florida as the only other state that requires notification of a security breach within 30 days. The new law requires notice to the affected Colorado residents “in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred.” The bill also provides that where Colorado and federal notification laws conflict, “the law or regulation with the shortest time frame for notice to the individual controls.”

Content: The bill adds new content requirements for notice letters sent to Colorado residents. Under the new law, a notice must include the date, estimated date, or estimated date range of the security breach; a description of the acquired personal information; a way for the resident to contact the organization; toll-free numbers, addresses, and websites for consumer reporting agencies (CRAs) and the Federal Trade Commission (FTC); a statement that the resident can obtain information from the FTC and CRAs about fraud alerts and security freezes; and, if the acquired data included a username or email address in combination with a password or security questions and answers for an online account, a statement directing the person to promptly change the password and security questions or answers or take other steps appropriate to protect online accounts that use the same username or email address.

Attorney general notification: The bill adds a new requirement to notify the Colorado attorney general in the event that notice of a security breach is made to 500 or more Colorado residents.

New requirements for government entities

The bill also adds new sections to Title 24 of the Colorado Revised Statutes that create obligations for government entities similar to those discussed above.

For additional information regarding data breach notification statutes enacted in the United States and worldwide, please refer to BakerHostetler’s state-by-state survey of data breach notification laws and key issues in state data breach notification laws.