On September 1st, a new data protection law took effect in Colorado. The statute requires Colorado employers to implement procedures to protect and eventually destroy employees’ personally identifiable information, and it expands employers’ notification requirements if employees’ information is compromised as the result of a data breach. While the law provides new duties for Colorado employers, it outlines best practices that should be taken into consideration for employers outside of the state as well.
Under the new law, covered entities (which will include most Colorado employers) that maintain “personal identifying information” of Colorado residents must “implement and maintain reasonable security procedures and practices” to protect that information. If the information is provided to a third-party service provider (such as a payroll services provider or PEO), the covered entity has to make sure that third-party provider also implements and maintains “reasonable security procedures and practices.” The “personal identifying information” at issue includes any “biometric data,” passwords, personal identification numbers, and data that most employers routinely maintain about their employees, including social security numbers and driver’s license information.
The statute also requires covered entities that maintain documents “during the course of business that contain personal identifying information” to “develop a written policy for the destruction or proper disposal of those paper and electronic documents containing personal identifying information.” Unless otherwise required by state or federal law, that policy must provide that when such documents “are no longer needed,” covered employers must shred, erase, “or otherwise modify . . . the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.”
While guidance should be forthcoming about just what steps would satisfy the “reasonableness” requirements of the statute, all employers — both inside and outside of Colorado — should evaluate their data protection and data breach policies, and implement written policies if they are not in place now. In thinking about those policies, employers should ask: Who has access to employees’ personal information, and how is that access limited? What state-specific requirements apply to the maintenance of employee records? Does the company’s document retention policy address when and how former employees’ personally identifying information is destroyed? Does the company have a rapid response and notification plan ready in the event of a data breach? If so, does it comply with the laws of each state in which the company’s employees reside?
Asking these questions, and auditing your practices now, could help avoid surprises later.