Consistent with recent expansions to state data breach notification laws, Colorado recently enacted an expanded data privacy law that strengthens the state’s existing breach notification law and that requires policies and procedures concerning the protection and destruction of personal identifying information (“PII”). The law applies to any individual or commercial entity that maintains, owns, or licenses “personal information” or PII, as applicable, in the course of its business, vocation, or occupation, and also contains largely identical provisions that apply to state and local governments. House Bill 18-1128 amends Colo. Rev. Stat. § 6-1-713 et seq. and takes effect on September 1, 2018.
The new law expands the pre-existing definition of “personal information,” whose unauthorized acquisition may trigger notification obligations, to include a first name or initial and last name in combination with unencrypted or unsecured medical information, health insurance identification information, and biometric data. In addition, the statute includes as personal information a username or email address and password or security questions and answers that would permit access to an online account. Colo. Rev. Stat. § 6-1-716(1)(g). (Note that the definition of “personal information” is somewhat broader than the statute’s more standard definition of PII, which is the focus of the data protection and data destruction provisions of the new law).
In the event of a breach, the new law will require notice to affected Colorado residents within 30 days of a determination that a breach has occurred and that personal information has been misused or is reasonably likely to be misused. The statute specifically defines “determination that a security breach has occurred” to mean “the point in time at which there is sufficient evidence to conclude that a security breach has taken place.” Colo. Rev. Stat. § 6-1-716(1)(c). If 500 or more Colorado residents are affected, the covered entity must also notify the Colorado Attorney General within the 30-day timeframe.
Finally, the new law provides a limited safe harbor for a covered entity that maintains its own notification procedures as part of either its information security policy or pursuant to state or federal regulatory oversight. As long the covered entity’s information security policy is consistent with the new law and the 30-day notification timeline, and it notifies affected Colorado residents in accordance with those policies and procedures, the covered entity is in compliance with the statute. If the Colorado law and other state or federal regulation or law are not consistent with respect to breach notification timing, the law or regulation with the shortest timeframe will control. Notwithstanding this limited safe harbor, notification to the Colorado Attorney General within the 30-day timeframe is still required for breaches affecting 500 or more Colorado residents.
Data Protection and Destruction
To comply with the law’s new data protection and expanded data destruction obligations, a covered entity must implement and maintain “reasonable security procedures and practices that are appropriate to the nature of the [PII] and the nature and size of the business and its operations.” Colo. Rev. Stat. § 6-1-713.5(1). More specifically, a covered entity must develop and maintain policies and procedures to govern the destruction and disposal of both paper and electronic documents containing PII. Colo. Rev. Stat. § 6-1-713(1). Note that the definition of PII is somewhat narrower than the definition of “personal information,” as described above.
Although third party service providers are not directly covered by the law, a covered entity is responsible for the security protection of the information it discloses to third party service providers. The law states that unless the covered entity provides its own protection for the information it shares with third party service providers, the covered entity shall require the third party service provider to implement and maintain reasonable security procedures and practices. A covered entity is expected to implement and maintain technical controls that are reasonably designed to protect the PII shared with the third party and “effectively eliminate” the third party’s ability to access PII, notwithstanding the third party’s physical possession of the PII. Colo. Rev. Stat. § 6-1-713.5(3). The law also requires the third party to promptly notify the covered entity and to cooperate with the covered entity in the event of a security breach.