New Data Protection Law Signed in Colorado

A new bill – HB 1128 – has been signed into law by Colorado Governor John Hickenlooper which further protects consumer data in Colorado.  Reps. Cole Wist (R) and Kent Lambert (R) and Sens. Jeff Bridges (D) and Lois Court (D) sponsored the bill, which was unanimously approved by the Legislature. The bill will be enforced from September 1, 2018.

Under the new law, organizations doing business in the state of Colorado that require access to consumers’ personal information will be required to establish reasonable security measures and practices that protect state residents’ personal identifying information (PII). The bill reduces the time required to notify the state attorney general and affected individuals of breaches of PII and new requirements have been introduced that require PII to be disposed of securely when it is no longer needed.

Personal information is defined as the first name and last name or the first initial and last name of a state resident plus any of the data elements listed below:

  • Social Security number
  • Military ID number
  • Student ID number
  • Driver’s license number or ID card number
  • Passport number
  • Health data
  • Biometric data
  • Health insurance ID number
  • Email addresses with passwords or security Questions &Answers
  • Financial account numbers, or credit cards or debit cards with corresponding security codes permitting access/use

The reasonable security measures and practices required of covered entities depend on the nature of the PII collected and the size of the business. Measures must be in place to prevent unauthorized access, disclosure, modification and destruction of PII. Before PII is shared with a third-party, the covered entity must check if the third party has appropriate security measures in place.

All businesses in Colorado that store the personal information of residents must have a written policy that covers proper disposal of information when it is no longer needed. Digital data and physical records should be disposed of securely, to ensure PII is unreadable or indecipherable and cannot be reconstructed.

When the bill was initially introduced,  the state attorney general was required to receive a breach notification within 7 days of a breach being discovered. However, businesses operating in Colorado criticized this requirement as the short time frame would not be sufficient to allow them to find out if there had been any misuse of data. The new bill amended this notification requirement and extended it to 30 days after the discovery of the breach.

Covered entities only need to notify the state attorney general if the breach impacts over 500 Colorado residents. Affected residents must receive breach notification within 30 days regardless of the scale of the breach. HIPAA covered entities in Colorado need to follow the 30-day time frame even though HIPAA rules allows 60 days to issue notifications. The same time frame applies to entities covered by the Gramm-Leach-Bliley Act.

The issuance of a breach notification is required in cases of security breaches exposing personal information unless it happened in good faith and the information has not been used for malicious or unlawful purposes and if the information was not further disclosed without authorization. The breach notice must also be published on the entity’s website and via statewide media.