Edit ModuleShow Tags

Colorado's Revised Data Disclosure Law

One of the most stringent in the country


Colorado’s Protections for Consumer Data Privacy law (“new law”) takes effect September 1 and requires that businesses holding personal information for Colorado residents destroy the data they don’t need, protect the data they decide to keep and disclose any security breaches involving that data within 30 days of its occurrence. The new law amends existing obligations and adds new obligations applicable to businesses holding information about Colorado residents.


Colorado law already had a definition of PII. The new law clarifies the definition and expands the existing requirement to dispose of paper documents containing PII. Now, businesses must develop a written policy to destroy or dispose of paper and electronic documents containing PII. Businesses must destroy paper and electronic documents that “are no longer needed.”

The new law creates an additional requirement for businesses to protect Colorado residents’ PII from unauthorized access by implementing reasonable security procedures and practices based on (1) the nature and size of the business, and (2) the nature (sensitivity) of the PII.


The law also revises Colorado’s breach notification requirements. The revision expands the original definition of “personal information” (not to be confused with the law’s definition of PII described above) and sets a deadline for disclosing security breaches. A Colorado Resident’s personal information now includes two new categories in addition to the original categories. The new categories are:

  1. The resident’s username or e-mail address in combination with a password or security questions and answers, that would permit access to an online account;
  2. The resident’s account number or credit or debit card number in combination with any required security code, or password that would permit access to that account.

If a business learns that a security breach may have occurred, the organization must promptly investigate the likelihood that Colorado residents’ personal information has been, or will be, misused. Unless the investigation concludes that misuse of personal information is unlikely to occur, the business must disclose the security breach without unreasonable delay and no later than 30 days after discovering the security breach may have taken place.

The new law requires additional notifications be made in certain cases. If more than 1,000 Colorado residents have to be notified of a security breach, the Covered Entity is also required to notify all consumer reporting agencies that compile and maintain files on consumers nationwide.

If 500 or more Colorado residents are reasonably believed to have been affected by the security breach, the Covered Entity must also notify the Colorado Attorney General of the security breach. The deadline to notify the Attorney general is also 30 days after the point in time where sufficient evidence exists to conclude that a security breach has taken place.

Erik Dullea is a partner in Husch Blackwell LLP’s Denver office and belongs to the firm’s Technology, Manufacturing & Transportation industry group.


Edit Module

Get more content like this: Subscribe to the magazine | Sign up for our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

Rundles Wrap-Up: For Promised Joy

I don't think Denver and many other areas in the country will sustain the kind of growth and a version of the status quo for much longer.

Putting Ethics Into Practice in the Workplace

How do you take a set of principles and convert them into actionable workplace performance standards?

Career Change Results in Best-Selling, Self-Published Works

It wasn’t until 2011, when she was laid off from her job and endured a major health scare, that Woolf decided to pursue her life’s passion of writing.
Edit ModuleShow Tags
Edit ModuleEdit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags