Colorado Passes Broad Data Security Law

Colorado has passed a broad cybersecurity and data breach notification law that will require covered entities dealing in personally identifying information to create and implement data security protection protocols and shortens the notification time after the discovery of a data breach to 30 days.  By passing this law, Colorado joins New York as the only states to codify regulatory requirements concerning cybersecurity standards.

The new law places general rules on “covered entities,” which includes essentially all businesses or individuals that maintain, own, or license the personal identifying information of Colorado residents.  The law defines “personal identifying information” as a resident’s social security number; personal identification number; a password; a pass code; an official state or government-issued driver’s license or ID card number; a government passport number; biometric data; an employer, student, or military ID number; or a financial transaction device.

Cybersecurity Requirements

Under the new law, covered entities that maintain paper or electronic documents that contain personal identifying information must develop a written policy for the disposal of those documents.  In addition to drafting and implementing disposal requirements, covered entities must implement and maintain reasonable security procedures and practices that are appropriate to the nature and size of the business and its operations.  The law does not lay out more specific directives.

The law also requires that a covered entity ensure all third-party service providers similarly implement and maintain reasonable security practices subject to the same broad requirements, unless the covered entity elects to provide its own security protection for information disclosed to the third-parties.  Third-party services providers are entities that has been contracted by a covered entity to maintain, store, or process personal identifying information.

If a covered entity is regulated by other state or federal law that already requires the disposal of such information or the maintenance of procedures for the protection of personally identifying information, compliance with those laws is deemed sufficient to comply with Colorado’s new law.

Data Breach Notification Updates

While Colorado already had a data breach notification statute, this new law implements more stringent requirements on covered entities.  Now, disclosure must be made within 30 days of a determination that a security breach resulting in the possible dissemination of personal information occurred—with the typical requirement that the needs of law enforcement be taken into account.  Importantly, if a covered entity is subject to state or federal laws that maintain procedures for a security breach notification that call for a different notification time period, the shorter time frame for notice controls.

The new law defines “personal information” broadly in three categories: 1) a resident’s first name/initial and last name combined with one or more of the following: social security number; student, military, or passport ID number; driver’s license number or ID card number; medical information; health insurance ID number; or biometric data; 2) a resident’s username or email address together with a password or security questions/answers that would permit someone to access an online account; and 3) a resident’s bank account or credit/debit account number in conjunction with an account code or password that would permit access to the account.  A covered entity’s obligation to issue a data breach notification is triggered if the security, confidentiality, or integrity of a resident’s personal information is compromised by its unauthorized acquisition.

Additionally, the notification must now including the following information: 1) the date, estimated date, or estimated range of when the breach occurred; 2) a description of the personal information that was, or reasonably believed to be, acquired as part of the breach; 3) the information that can be used to contact the entity to inquire about the breach; 4) the toll-free numbers, addresses, and websites for consumer reporting agencies; 5) the toll-free number, address, and website for the FTC; and 6) a statement that the resident can obtain information from the FTC and credit agencies requesting fraud alerts and credit freezes.  However, if the breach includes encrypted or otherwise secured personal information and the encryption key or other means to decipher the secured information is not breached, the entity is not subject to the notification requirements.

The new law also provides for similar data protection requirements and data breach notification procedures applicable to governmental entities.

Colorado’s new cybersecurity and data breach notification law takes effect September 1, 2018.