The Colorado data breach notification bill was introduced in January to protect residents against data breaches. It proposed giving companies a maximum of 45 days to send breach notifications to persons whose personal information was compromised. An update on the definition of personal information was also included making it wider in range. The updated definition included data protected by HIPAA rules such as biometric data, medical information and health insurance information.
About mid February 2018, Colorado’s House Committee on State, Veterans and Military Affairs passed an updated version of the Colorado data breach notification bill. It’s now with the Committee on Appropriations for consideration. The latest version included some more data elements such as passport numbers, student IDs, military IDs as personal information. The breach notification time frame was also shortened to 30 days from the 45 days proposed in the original bill.
Before this version of the Colorado data breach notification bill, organizations that comply with the federal data breach notification laws are considered in compliance with state laws. But now, this is no longer the case. HIPAA laws require healthcare organizations to send notifications to breach victims up to 60 days from discovery of the breach. If HIPAA covered entities experiences a breach impacting Colorado residents, notifications must be issued within 30 days and not 60 days.
The original Colorado breach notification bill required notification of the state attorney general’s office in 7 days from breach discovery when 500 or more Colorado residents are affected. The new bill relaxed this notification requirement. The state attorney general’s office may be notified in 30 days. In addition, the breach notification is not necessary if there’s no data misuse or if it’s unlikely to occur.
If the new bill will be approved, Colorado will be one of the two states that have strict time scales for sending breach notifications. The other one is Florida. Colorado residents will have better protection in case of exposure of their personal information when healthcare organizations issue earlier breach notifications.