• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Colorado Enacts Expanded Data Breach Notification Law

June 5, 2018 By Kate Hanniford

Consistent with recent expansions to state data breach notification laws, Colorado recently enacted an expanded data privacy law that strengthens the state’s existing breach notification law and that requires policies and procedures concerning the protection and destruction of personal identifying information (“PII”).  The law applies to any individual or commercial entity that maintains, owns, or licenses “personal information” or PII, as applicable, in the course of its business, vocation, or occupation, and also contains largely identical provisions that apply to state and local governments.  House Bill 18-1128 amends Colo. Rev. Stat. § 6-1-713 et seq. and takes effect on September 1, 2018.

Breach Notification

The new law expands the pre-existing definition of “personal information,” whose unauthorized acquisition may trigger notification obligations, to include a first name or initial and last name in combination with unencrypted or unsecured medical information, health insurance identification information, and biometric data.  In addition, the statute includes as personal information a username or email address and password or security questions and answers that would permit access to an online account.  Colo. Rev. Stat. § 6-1-716(1)(g).  (Note that the definition of “personal information” is somewhat broader than the statute’s more standard definition of PII, which is the focus of the data protection and data destruction provisions of the new law).

In the event of a breach, the new law will require notice to affected Colorado residents within 30 days of a determination that a breach has occurred and that personal information has been misused or is reasonably likely to be misused.  The statute specifically defines “determination that a security breach has occurred” to mean “the point in time at which there is sufficient evidence to conclude that a security breach has taken place.”  Colo. Rev. Stat. § 6-1-716(1)(c).  If 500 or more Colorado residents are affected, the covered entity must also notify the Colorado Attorney General within the 30-day timeframe.

Finally, the new law provides a limited safe harbor for a covered entity that maintains its own notification procedures as part of either its information security policy or pursuant to state or federal regulatory oversight.  As long the covered entity’s information security policy is consistent with the new law and the 30-day notification timeline, and it notifies affected Colorado residents in accordance with those policies and procedures, the covered entity is in compliance with the statute.  If the Colorado law and other state or federal regulation or law are not consistent with respect to breach notification timing, the law or regulation with the shortest timeframe will control.  Notwithstanding this limited safe harbor, notification to the Colorado Attorney General within the 30-day timeframe is still required for breaches affecting 500 or more Colorado residents.

Data Protection and Destruction

To comply with the law’s new data protection and expanded data destruction obligations, a covered entity must implement and maintain “reasonable security procedures and practices that are appropriate to the nature of the [PII] and the nature and size of the business and its operations.”  Colo. Rev. Stat. § 6-1-713.5(1).  More specifically, a covered entity must develop and maintain policies and procedures to govern the destruction and disposal of both paper and electronic documents containing PII.  Colo. Rev. Stat. § 6-1-713(1).  Note that the definition of PII is somewhat narrower than the definition of “personal information,” as described above.

Although third party service providers are not directly covered by the law, a covered entity is responsible for the security protection of the information it discloses to third party service providers.  The law states that unless the covered entity provides its own protection for the information it shares with third party service providers, the covered entity shall require the third party service provider to implement and maintain reasonable security procedures and practices.  A covered entity is expected to implement and maintain technical controls that are reasonably designed to protect the PII shared with the third party and “effectively eliminate” the third party’s ability to access PII, notwithstanding the third party’s physical possession of the PII. Colo. Rev. Stat. § 6-1-713.5(3).  The law also requires the third party to promptly notify the covered entity and to cooperate with the covered entity in the event of a security breach.

Filed Under: Data Breach, Data Protection, Data Security, Security Breach Tagged With: Data Breach Notification, US State Law

About Kate Hanniford

Kate Hanniford is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team. . She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.