Colorado is poised to join a number of states strengthening their privacy and data breach notification laws by implementing changes aimed at improving protections for Colorado residents through HB 18-1128. The bill, making its way through the Colorado legislature, sets forth revisions to existing laws, the most pressing of which imposes a 30-day deadline from the “date of determination that a security breach occurred” to disclose the breach to consumers, and for a breach that impacts 500 or more individuals, the Colorado Attorney General.
Furthermore, the bill sets forth specific information that must be included within a notification letter. The current law has no statutorily mandated disclosure deadline, but instead requires notification to occur “in the most expedient time possible and without unreasonable delay.” If the law is enacted, Colorado would be among a handful of states with the shortest notification timeline in the country (North Carolina is currently evaluating a 15-day notification deadline). Due to the exponential increase in data breach events in recent years, timely notification of such incidents has become as important as the practices and procedures used to protect sensitive information. While the 30-day deadline provides consumers the opportunity to quickly respond to the improper release of their most sensitive information, it clearly shortens the period within which companies are required to react.
It also is important to note that the proposed changes require any person or entity that uses a nonaffiliated third party as a service provider to ensure that the third party maintains reasonable security procedures and practices that are “appropriate to the nature of the personal identifying information disclosed to the nonaffiliated third party and reasonably designed to help protect the personally identifying information [PII] from unauthorized access, use, modification, disclosure, or destruction.” Therefore, it is crucial for any commercial entity that maintains, owns or licenses computerized data that includes the personal information of a Colorado resident to ensure that it and its vendors both use sufficient security procedures should the new law go into effect.