On May 29, 2018, Colorado passed House Bill 18-1128, which requires "covered entities" to comply with new rules regarding the security and disposal of "personal identifying information" (PII). The new law also provides an expanded definition of "personal information" and more stringent notification standards in the event of a security breach involving personal information.

How does this new law apply to my business?

If your business maintains, owns or licenses personal information of Colorado residents, you need to comply. Keep in mind that personal information is broadly defined to include first initial and last name in combination with unencrypted identification numbers (SSN, passport number, driver's license, etc). It also includes an email address combined with a password or security questions and answers and account or debit/credit card numbers combined with access codes or passwords.

What does my business need to do to comply?

  • Implement appropriate security procedures to protect PII.
  • Make sure that your vendors who handle PII have appropriate security procedures in place and are required to notify you of data breaches and assist you with remediation.
  • Maintain a written policy for document destruction when PII is no longer needed.
  • Implement a data breach notification policy with notice provided to individuals no later than 30 days after determination that a breach occurred. The notification requires significant detail and additional notification to the Colorado Attorney General's office and credit reporting agencies if certain thresholds are met.

How can I learn more about this new law?

A summary and text of the law are available here.

Below are the detailed definitions and requirements:

Covered Entity is a person that maintains, owns, or licenses personal information in the course of their business, vocation or occupation. Covered entity does not include a "third-party service provider."

Personal Information means:

  • A Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data
  • A Colorado resident’s username or email address, in combination with a password or security questions and answers that would permit access to an online account
  • A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code or password that would permit access to that account

Personal information, however, does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

Personal Identifying Information means a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver's license or identification card number; a government passport number; biometric data; an employer, student or military identification number; or a financial transaction device.

Third-Party Service Provider means an entity that has been contracted to maintain, store or process PII on behalf of a covered entity.

The new rules impose the following obligations:

  1. Security Procedures. Covered entities must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII and the nature and size of the business and its operations.
  2. Third-Party Service Provider Controls. Covered entities must take measures to protect PII disclosed to third party service providers. The covered entity can either provide its own security protection for the disclosed information, or it can require the third-party service providers to implement and maintain security procedures. Third-party service providers must promptly notify covered entities of any data breaches, share information regarding the breach, and cooperate with the covered entity to resolve the breach.
  3. Document Disposal. Covered entities must develop and/or maintain a written policy for the destruction of any electronic or paper documents containing PII. Unless otherwise required by law, the policy must require that, when such documents are no longer needed, the covered entity shall destroy or arrange for the destruction of such documents within its custody or control that contain PII by shredding, erasing or otherwise modifying the PII in the documents to make the PII unreadable or indecipherable through any means.
  4. Breach Notification Regarding Personal Information. Covered entities must notify affected individuals in the most expedient time possible and without unreasonably delay, but not later than 30 days after the date of "determination that a security breach occurred." The "determination that a security breach occurred" means "the point in time at which there is sufficient evidence to conclude that a security breach has taken place."

The notice must include the following information: date (or estimated date or date range) of the breach; description of the PII involved; contact information for the covered entity, consumer reporting agencies, and the Federal Trade Commission (FTC); and a statement that the resident can obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes.

In the event the covered entity determines that the PII has been misused or is reasonably likely to be misused, the covered entity must also direct the affected persons to change their password and security questions, or take other steps appropriate to protect their affected online account(s).

A covered entity must also notify the Colorado Attorney General’s office in the most expedient time possible and without unreasonably delay, but not later than 30 days after the date of determination that a security breach occurred, of any breach reasonably believed to affect 500 or more Colorado residents, and must notify credit reporting agencies if it is required to give notice to more than 1,000 Colorado residents.

A covered entity that maintains its own notification procedures as part of an information security policy for the treatment of PII and whose procedures are otherwise consistent with the timing requirements of the new notification laws is deemed in compliance with the notice requirements when it notifies affected residents in accordance with its policies. In addition, regulated covered entities that maintain security breach procedures pursuant to their regulator’s laws, rules, regulations and guidelines are deemed in compliance with the new notification provisions.

If your company maintains PII or Personal Identifying Information of Colorado residents in the course of your business, we recommend that you implement a security policy and procedures, which include provisions for document disposal, third-party service provider controls, and breach notification consistent with the new law.