Effective Sept. 1, 2018, Colorado will require all entities that process or store certain personal information of Colorado residents, regardless of whether the entity is located within or outside of Colorado, to have formal data security and data disposal programs. This is the result of the adoption of Bill 18-1128 “Concerning Strengthening Provisions for Consumer Data Privacy,” signed into law at the end of May 2018, to amend and supplement existing law (the “Amendment”). The Amendment also updates existing provisions of Colorado law related to security breach disclosures; these provisions are not discussed in this Alert.

Personal Identifying Information

The Amendment expands the scope of the protection of personal identifying information. Previously, the definition of “personal identifying information” under the Colorado law was limited to a resident’s first name or initial and last name in combination with the individual’s Social Security, driver’s license, or identification card number, or a credit or debit card or bank account number, combined with a password or access code.

The new definition includes additional forms of identification, such as student, military, passport, and health insurance identification number, as well as other types of information, such as medical information or biometric data. It also includes username or e-email address in combination with a password or security question answers that would permit access to an online account.

Security Program

The Amendment requires covered entities to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and to the size of the entity and its operations. A “covered entity” is a person that maintains, owns, or licenses personal information in the course of the person’s business, vocation, or occupation.

There is no guidance as to the content of the security program. The law specifies only that it must be reasonable and appropriate to the nature of the personal identifying information and to the nature and size of the entity and its operations.

Use of Third Party Service Providers

The use of third party service providers is subject to separate provisions. A “third party service provider” is an entity that has “been contracted to maintain, store or process personal information on behalf of a covered entity.”

When disclosing personally identifying information to a third party service provider, covered entities have two options. Either they must provide their own security protection to the personally identifying information processed by the third party, or they must require the third party service provider to implement security measures. In both cases, there must be reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and reasonably designed to help protect the information from unauthorized access, use, modification, disclosure, or destruction.

If the covered entity elects to retain primary responsibility for implementing and maintaining those security procedures, it must implement and maintain those measures or “effectively eliminate the third party’s ability to access the personal identifying information, notwithstanding the third party’s physical possession of the personal identifying information.” There is no guidance on the acceptable methods for eliminating such access.

Data Disposal Policy

The Amendment also requires that, by Sept. 1, 2018, entities collecting specified personal identifying information of Colorado residents adopt a written policy for the destruction and disposal of paper and electronic documents containing such information. The policy must require the destruction of those documents as soon as they are no longer needed. The covered entity must itself destroy, or arrange for the destruction of, the paper or electronic documents in its custody or control, by shredding, erasing, or modifying the personal identifying information to make it unreadable or indecipherable through any means.

What Standards?

The Amendment does not specify the expected content of the required data protection programs, or what measures or processes must be followed to design a suitable program. It indicates, however, that covered entities regulated by other state or federal laws that maintain security and disposal procedures for the protection of personal identifying information that meet those laws would be deemed in compliance with the Amendment.

Required Actions

By Sept. 1, entities that do business in Colorado or collect personal information of Colorado residents should ensure that they:

  • Have an appropriate written security program that includes procedures and controls that are reasonably adapted to the nature of the personal identifying information in their custody. Generally, this includes physical measures, for example, access limitation; technical measures, for example, passwords and encryption; and administrative measures, for example, contracts or incident response plan.
  • Have a written destruction and disposal policy that addresses both the disposal of paper and electronic documents.
  • Have proper contracts in place with their third party service providers that meet the requirements in the Amendment.

The adoption of the Colorado law is a reminder of the need for appropriate measures to protect personal information. Numerous federal, state, and foreign laws already require proper protection of specified categories of personal information. Organizations that collect personal identifying information of Colorado residents and that do not yet have the written programs necessary to formalize their data protection practices urgently need to focus on compliance. Those that have an existing program should evaluate its currency, efficiency, and scope, as it is likely that the new law will trigger enquiries from customers and prospects, and, potentially, enforcement actions or third party claims.

While some aspects of these security and data disposal programs are better left to information security professionals, other aspects fall directly under the competence of legal professionals who can assist in shaping and documenting these programs in a way to meet the requirements and expectations of the regulators, and comply with applicable laws.