2018 continues to be a landmark year for increased privacy regulation on every stage – international, national, state, industry, etc. In March, South Dakota and Alabama became the last two states to issue breach notification laws, and this month, Colorado passed a new breach notification law, titled Protections for Consumer Data Privacy (HB 18-1128). It is expected to go into effect on September 1, 2018.
The new law’s stricter requirements make Colorado one of the leaders in data protection legislation in the United States. The law places tighter requirements on organizations that collect, process, and store PII via hardcopy documentation, expands the scope of the previous law (Col. Rev. Stat. tit 6, art.1, s6-1-716), and significantly shortens the timeline for reporting a breach. Let’s take a look at these new requirements.
This post provides an overview of the changes found in this new legislation. The full text can be found here.
HB 18-1128 defines a “covered entity” as any entity that maintains, owns, or licenses the personally identifiable information (PII) of a Colorado resident.
The new law defines a data breach as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PII maintained by an individual or a commercial entity.
In Colorado, PII includes the combination of a person’s first or last name with their:
However, Colorado has followed in the footsteps of many other states and expanded this definition in its new legislation. The legislation has added some new characteristics, which include:
It also includes the combination of website usernames with a password or an answer to a security question and a credit/debit card number in combination with security code.
A notable change in Colorado’s new law is its 30-day breach notification timeline, which is significantly shorter than most states’ requirements (the only one that comes close is Florida). No later than a month after a breach is discovered, organizations must make affected individuals aware that a breach has occurred through a Notice Letter, which must include the following:
In addition, for any breach that affects over 500 Colorado residents, organizations must notify the state’s Attorney General.
HB 18-1128 also includes a specific requirement for organizations who collect, process, and store PII using hardcopy documentation, leaving a paper trail. These organizations are required to develop a policy of destruction for the proper disposal of hardcopy documentation and to dispose of all hardcopies of the information it may have for an individual once the data is no longer necessary.
Colorado’s new data protection legislation introduces a number of new, stricter requirements, which means organizations with operations in Colorado will need to review it carefully and develop policies and procedures that align. As more and more states enact stronger legislation around data protection, companies with operations across the U.S. will need to implement procedures for monitoring and integrating these changes. Download our guide to the breach notification laws in all 50 states to get started.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.