2018 continues to be a landmark year for increased privacy regulation on every stage – international, national, state, industry, etc. In March, South Dakota and Alabama became the last two states to issue breach notification laws, and this month, Colorado passed a new breach notification law, titled Protections for Consumer Data Privacy (HB 18-1128). It is expected to go into effect on September 1, 2018.

The new law’s stricter requirements make Colorado one of the leaders in data protection legislation in the United States. The law places tighter requirements on organizations that collect, process, and store PII via hardcopy documentation, expands the scope of the previous law (Col. Rev. Stat. tit 6, art.1, s6-1-716), and significantly shortens the timeline for reporting a breach. Let’s take a look at these new requirements.

This post provides an overview of the changes found in this new legislation. The full text can be found here.

The Scope

HB 18-1128 defines a “covered entity” as any entity that maintains, owns, or licenses the personally identifiable information (PII) of a Colorado resident.  

Defining a Data Breach

The new law defines a data breach as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PII maintained by an individual or a commercial entity.

Defining Personally Identifiable Information (PII)

In Colorado, PII includes the combination of a person’s first or last name with their:

  • Social Security number;
  • Driver’s license number;
  • Account number or credit or debit card number in combination with any required security code, access code, or password that gives access to an individual’s financial account;
  • Health information as defined by HIPAA; and
  • An identification number assigned by an employer in combination with any required security code/password or biometric data for authentication purposes.

However, Colorado has followed in the footsteps of many other states and expanded this definition in its new legislation. The legislation has added some new characteristics, which include:

  • Student identification numbers;
  • Military or government identification numbers; and
  • Passport numbers.

It also includes the combination of website usernames with a password or an answer to a security question and a credit/debit card number in combination with security code.  

Breach Notification Requirements

A notable change in Colorado’s new law is its 30-day breach notification timeline, which is significantly shorter than most states’ requirements (the only one that comes close is Florida). No later than a month after a breach is discovered, organizations must make affected individuals aware that a breach has occurred through a Notice Letter, which must include the following:

  • An estimation of when the breach occurred (date range)
  • The types of PII that may have been affected
  • The organization’s contact information for communications with affected individuals
  • Contact information for the Federal Trade Commission and consumer reporting agencies
  • Any appropriate steps an affected individual may or should take to protect their information

In addition, for any breach that affects over 500 Colorado residents, organizations must notify the state’s Attorney General.

A New Requirement for Paper Documentation

HB 18-1128 also includes a specific requirement for organizations who collect, process, and store PII using hardcopy documentation, leaving a paper trail.  These organizations are required to develop a policy of destruction for the proper disposal of hardcopy documentation and to dispose of all hardcopies of the information it may have for an individual once the data is no longer necessary.

Colorado’s new data protection legislation introduces a number of new, stricter requirements, which means organizations with operations in Colorado will need to review it carefully and develop policies and procedures that align. As more and more states enact stronger legislation around data protection, companies with operations across the U.S. will need to implement procedures for monitoring and integrating these changes. Download our guide to the breach notification laws in all 50 states to get started.

Get the Guide

Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.


Get more insights into the latest privacy news.

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.