A bipartisan group of legislators in Colorado proposed changing its privacy and data breach notification laws for state residents to have better protection. If passed, there will be significant changes in the current state laws. The proposed legislation will add the following personally identifying information (PII) to the definition of PII.
Full name or last name and initial in combination with any of the following data elements:
- personal ID numbers
- employment, student and military IDs
- Social Security numbers
- passport numbers
- state ID numbers
- state or government driver’s license numbers
- biometric data
- passwords and pass codes
- health information
- financial transaction devices
- health insurance information
Usernames/email addresses, credit/debit card numbers and other financial account numbers are also included, should the mentioned information become compromised together with other information that permits access or use of accounts. It is not considered a breach if the PII is encrypted, unless the unauthorized person also gets the key to unlock the encryption.
The new legislation would require organizations that store the PII of state residents to implement controls that protect the privacy and confidentiality of PII. Although there is no set types of security protections, practices and procedures that is to be implemented, the requirement is to use security measures “appropriate to the nature of the PII and the nature and size of the business and its operations.”
Any entity that would like to disclose PII to a third party must tell that entity to protect and secure the PP at all times using the appropriate technology, practices and procedures. Sensitive data must be protected from unauthorized access, use, disclosure, modification or destruction.
If the entity or third party does not need the PII any longer, the PII, whether in paper or digital form, must be securely destroyed without retaining any copy. There must be a written policy covering the destruction of data. Paper records may be burned, pulped, pulverized or shredded. Electronic data must be securely deleted to avoid restoration using methods like degaussing, use of software to overwrite media, pulverization, melting, disintegration, incineration or shredding.
In case of a PII breach, the covered entity has up to 45 days from the breach discovery to issue notifications. Notifications must be issued “in the most expedient time and without unreasonable delay.” The state attorney general must receive notification of a breach that impacts over 500 persons no later than 7 days after the discovery of the breach.
Breach notification letters must include the following content:
- date of the breach or an estimate if it is unknown
- description of the compromised PII
- information on how credit freezes and security alerts can be set
- contact information
- a toll-free number to contact for more information
- contact details of consumer reporting agencies and the FTC
The legislation would also give the Colorado Attorney General the authority to initiate criminal investigations and legal proceedings on organizations violating the state law.