In January 2018, Colorado legislators sponsored a bill that, if passed, will change the state’s existing data breach reporting laws in important ways. A House Committee Report detailing the current version of the bill can be found here. The bill would create a new statute, C.R.S. § 6-1-713.5, titled Protection of Personal Identifying Information, which amends the existing statutes C.R.S. § 6-1-713, governing the disposal of personal identifying information, and C.R.S. § 6-1-716, Notification of Security Breach. Included in these proposed changes are the following amendments:
Disposal of Personal Identifying Information
All “public and private entit[ies] in the state that maintain paper or electronic documents during the course of business that contain personal identifying information” will be required to develop a written policy for the destruction or disposal of such information once such documentation is “no longer needed.”
Protection of Personal Identifying Information
A person who maintains, owns or licenses personal identifying information of a Colorado resident shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operation. A third-party service provider must also implement and maintain reasonable security procedures and practices to protect personal identifying information.
Expanding the Security Breach Notification Requirements
C.R.S. § 6-1-716 defines a “security breach” as “the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity.”
The proposed definition of “personal information” would expand the type of information that would give rise to a “security breach.” The proposed definition includes a Colorado resident’s:
– First name or first initial and last name in combination with any one or more of the following: (1) Social Security number; (2) student, military or passport identification number; (3) driver’s license number or identification card number; (4) account number or credit card or debit card number; (5) medical information; (6) health insurance identification number; or (7) biometric data, where such information is not “encrypted, redacted, or secured” by any method that would “render the name or the element unreadable or unusable”
– Username or email address in combination with a password or security questions and answers that would permit access to an online account.
Existing Colorado law provides that notice of a data breach affecting the personal information of a Colorado resident must be made “in the most expedient time possible and without unreasonable delay.” The proposed amendment would require an individual or a commercial entity that maintains, owns or licenses computerized data that includes personal information about a resident of Colorado to give notice “not later than thirty days after the date of determination that a security breach has occurred.” The bill includes a definition of when a security breach occurred to mean the “point in time at which there is sufficient evidence to conclude that a security breach has taken place.” The amendments also provide that where Colorado and federal notification laws conflict, “the law or regulation with the shortest time frame for notice to the individual controls.”
An individual or entity may provide electronic or other form notice of a security breach involving a Colorado resident’s username or email address within five days of determining that a security breach occurred. The electronic or other form notice directs the individual whose personal information has been breached to promptly change his or her password and security question or answer, or to take other actions to protect the online account.
Likewise, the amendments would require an individual or entity to give “notice of any security breach to the Colorado Attorney General as soon as practicable but not later than thirty days after the date of determination that a security breach occurred if the security breach is reasonably believed to have affected five hundred Colorado residents or more.” However, an entity need not give notice to the attorney general if an “investigation determines that the misuse of information about a Colorado resident has not occurred and is not likely to occur.”
The cumulative effect of these proposed regulations would be a considerable expansion of Colorado’s data breach laws, with heightened data destruction requirements, an expanded reach into regulating security breaches affecting a broad range of data, and shorter, stricter reporting requirements. The new reporting requirements have the potential to be impactful given that claims for unlawful delay in breach notification already proliferate post-data-incident class actions filed around the country. On Feb. 14, 2018, the House Committee on State, Veterans and Military Affairs unanimously passed the bill out of committee and to the Colorado legislature – signaling that Colorado may soon join the ranks of states with the strictest data breach laws.
We will continue to watch this bill as it progresses through the legislative process.