Colorado’s new data privacy requirements, signed into law earlier this year, become effective September 1, 2018. See Colorado House Bill 18-1128, accessible here. The law is separated into two very similar sections applying to “covered entities” and “governmental entities.” Covered entities are those that “maintain, own or license personal identifying information” of Colorado residents “in the course of its business, vocation or occupation.” HB 18-1128. The key requirements of the new law include: 1) creating a written disposal and destruction plan for personally identifying information; and 2) notifying Colorado residents, credit reporting agencies and the Colorado attorney general when security breaches affecting Colorado residents occur.
The definition of personally identifying information (PII) has been expanded to include biometric data, passport numbers, student identification numbers and more. In addition to maintaining “reasonable security measures” to protect PII from unauthorized access, use, modification, disclosure or destruction, covered and governmental entities must also draft and comply with a written plan for disposing of unneeded PII in a way that renders the information completely unreadable and unusable. The law states these security measures should be “appropriate to the nature and size of the business and its operations.” HB 18-1128. Required disposal procedures apply to both physical and electronic documents.
Defined more stringently than PII for purposes of a destruction plan, loss of personal information (PI) triggers the breach notification requirements described below. PI means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following: social security number; student, military or passport identification number; driver’s license or identification card number; medical information; health insurance identification number; or biometric data. PI can also include a Colorado resident’s username or email address in combination with a password or security question and answer, as well as an account or credit/debit card number in combination with a security/access code or password.
When covered or governmental entities suspect a security breach has occurred, they are required to promptly investigate the potential breach. If they determine a security breach has occurred and that PI has been or is likely to be misused, the entity is required to provide notification to the affected Colorado residents within 30 days of the breach. Entities may provide notice through a variety of means depending on what contact information they have for each Colorado resident and the nature of the customer relationship. Notice may be provided by written notice to the postal address listed in the entities’ records, telephone, electronically or in certain circumstances by substitute notice such as posting a conspicuous disclosure on the main page of the entities’ website.
If the security breach affects more than 500 Colorado residents, the breach must be reported to the Colorado attorney general. Breaches affecting more than 1000 Colorado residents must be reported to the credit rating agencies. Notifications must include: 1) the date of the breach; 2) a description of the PI acquired during the breach; 3) contact information for the covered or governmental entity for the Colorado resident to inquire about the breach; 4) contact information for the consumer reporting agencies; 5) contact information for the Federal Trade Commission; 6) a statement regarding information available from the Federal Trade Commission and credit reporting agencies about fraud alerts and security freezes; and 7) instruction on how to change passwords, security questions and other log-in credentials for the accounts that were breached and other unrelated accounts for which the resident may have used the same email account and password. Furthermore, if the breach also resulted in the loss of a “confidential process, encryption key or other means to decipher the secured information,” the notification must include information to that effect. HB 18-1128.
The law states that entities regulated by state or federal law that maintain disposal procedures in accordance with an applicable state or federal law, rule, procedure or guideline are in compliance with the disposal requirements of this law. However, entities are not exempt even where covered by HIPAA and the Gramm-Leach-Bliley Act. The law specifically notes that where the notification deadlines for other state and federal laws conflict with this law, the entity shall comply with whichever deadline is shorter. Because Colorado currently has the shortest notification law of any state, notification must occur within 30 days regardless of what other laws apply. The law also details additional requirements for entities that use third party service providers to maintain, process or store PII/PI on behalf of the entity.
The compliance deadline for Colorado’s new data privacy law is quickly approaching, and different entities will require a tailored approach to develop effective destruction plans as well as policies for ensuring compliant notification in the event of a breach.