Recently, a new bill was signed by Colorado Governor John Hickenlooper, creating far reaching new requirements for entities that collect or maintain personal identifying information of Colorado residents. These requirements, which will create one of the strictest state based privacy and data breach laws in the country, will go into effect September 1, 2018. The Colorado Attorney General’s office led part of the effort to pass the new law, making enforcement a likely priority.

The new law requires organizations to maintain a policy for disposing documents with consumer data and notify Colorado residents of any potential personal information exposure no later than 30 days after discovering a data breach. The 30-day notification window does not provide for any specific exemptions (such as HIPAA) and is the shortest of any U.S. state.

A. Who does the new Colorado law apply to?

The new law will apply to any “Covered Entity” which is an entity that “maintains, owns, or licenses personal identifying information” of a Colorado resident in the course of business.

B. What constitutes personal identifying information?

The definition of personal identifying information is broad, and can include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device (as defined in C.R.S. § 18-5-701(3)).

C. What measures are Covered Entities required to implement?

  1. Reasonable Security Procedures and Practices: Covered Entities must themselves “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”
  2. Flow Down Security Requirements to Third Party Service Providers: Additionally, Covered Entities must also require any third party service providers with access to personally identifying information provided by the Covered Entity to also take measures that are “appropriate to the nature of the personal identifying information disclosed” and “reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.” Covered entities may also provide security for the transferred information themselves, although this will likely be the exception.
  3. Disposal Requirements for Personal Identifying Information: Covered entities that “maintain[] paper or electronic documents during the course of business that contain personal identifying information” will now be required to develop a written policy for the destruction or disposal of such information once such documents are “no longer needed.”

D. How have the Data Breach notification requirements changed?

  1. Personal Information now includes more categories: Colorado’s existing law covered personal information of Colorado residents. The new law adds new categories to what would constitute personal information. These new categories are: student, military, or passport identification number; (2) medical information; (3) health insurance identification number; (4) biometric data; and (5) a username or email address, in combination with a password or security questions and answers, that would permit access to an online account.
  2. Expanded Notice Letter Requirements: Notice letters must now contain an estimated date or date range for the security breach, describe the personal information at issue, provide a contact method for the covered entity, provide contact information for the Federal Trade Commission and Consumer Reporting Agencies, including information about obtaining information from these agencies, including with regard to fraud alerts and security freezes, and if a username or email address along with a password or security question/answers are at issue, the notice must also direct the person to take appropriate steps, including changing passwords, and answers to their security questions.
  3. Attorney General Must Be Notified if Breach Affects Over 500 Colorado Residents: This is likely to lead to additional interest in security breaches from the Colorado Attorney General’s office.

Tightening timeframes and expanding definitions of covered personal information require U.S. companies to more closely examine data breach response plans and prepare to investigate quickly and efficiently to comply with state reporting requirements.