The Colorado legislature recently passed a new data privacy law, House Bill 18-1128, which heightens requirements for corporate and public entities handling personal information of Colorado residents. Effective September 1, 2018, the law aims to strengthen consumer data privacy by 1) shortening the time frame required to notify affected Colorado residents and the Attorney General of a data breach within 30 days of determining a data breach occurred; 2) requiring business and third party entities to adopt “reasonable security procedures” to safeguard personally identifiable information (“PII”) handled; and 3) imposing data disposal rules for such entities.
Notable provisions of the bill include:
- Expanding the Definition of Personal Information: The Colorado bill expands the definition of PII to a resident’s first name or first initial and last name plus one or more additional element: 1) Social Security Number or Personal ID Number; 2) Passport Number; 3) Driver’s License or ID Card Number; 4) Employer, Student, or Military ID Number; 5) Password or Passcode; 6) Biometric Data; or 7) Financial Transaction Device (e.g., credit or debit card, etc.).
- Increasing Data Safeguarding and Disposal Responsibilities: Entities that possess PII of Colorado residents are required to implement “reasonable security procedures” appropriate to the nature of the data and the nature and size of the organization. Entities must also maintain a written policy requiring destruction of PII when it is “no longer needed” in order to make the data “unreadable or indecipherable.”
- Third Party Enforcement: Entities that provide PII to a third party service provider must require that third party to implement and maintain the same reasonable security procedures as required of the entity. However, an entity may decide to provide its own reasonable security protection for the information it provides to the service provider in order to eliminate the third party enforcement requirement.