Edit ModuleShow Tags

What Companies Need to Know About Changes to Colorado's Cybersecurity Law

New legislation passed by in Colorado and went into affect September 1


Entities doing business in Colorado will need to comply with new data security requirements as a result of legislation passed by the Colorado legislature that went into effect on September 1. The legislation was spearheaded by the Colorado Attorney General’s office to strengthen the office’s ability to investigate and take action against entities that do not take proper measures to protect the confidential information of Colorado residents.

Specifically, the new law requires covered entities to:

  • Implement and maintain reasonable security measures to protect paper and electronic documents containing personal identifying information of Colorado residents;
  • Contractually require third-party service providers to implement and maintain reasonable security measures to protect paper and electronic documents containing personal identifying information of Colorado residents; and
  • Implement a written policy to dispose of documents containing personal identifying information of Colorado residents.

The law defines “personal identifying information” broadly to include social security numbers, personal identification numbers, passwords, pass codes, official state or government-issued drivers’ license or identification card numbers, government passport numbers, biometric data, employer identification numbers, student identification numbers, military identification numbers and financial transaction devices.


The law also significantly amends Colorado’s data breach notification statute to make it one of the strictest in the country. Under the amended law, if a business suspects it experienced a security breach, it must conduct a prompt investigation to determine whether a compromise of “personal information” occurred. If so, it must notify affected Colorado residents within 30 days and provide specific information as to the nature of the breach, such as a description of the personal information that was compromised and the date of the breach. Notice also must be provided to the Colorado Attorney General’s office if the breach affected the personal information of 500 or more Colorado residents.

The new law drastically expands the type of information that will trigger a breach notification obligation if compromised. Specifically, the law defines “personal information” to mean a Colorado resident’s first name or first initial and last name in combination with any of the following data elements: social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data. The definition also includes a Colorado resident’s username or email address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.

To ensure compliance with the law, covered entities should develop and implement:

  • A written information security program containing administrative, technical, and physical safeguards to protect personal identifying information;
  • A written document retention/disposal policy that complies with the law’s requirements;
  • A third-party vendor-management program that ensures personal identifying information is treated properly when transferred to third-party service providers; and
  • An incident-response plan that complies with the law’s breach notification requirements.

David M. Stauss is a partner at Ballard Spahr's Denver office and Gregory P. Szewczyk is an associate.

Edit Module

Get more content like this: Subscribe to the magazine | Sign up for our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

Meet Your New Favorite Secret Brand Weapon: Signals

Even major brands can undermine their own goals when they get out of perceptual alignment — by saying, showing or doing things that create consumer confusion or mistrust.

Hyatt Regency Aurora: From Business to Leisure

The hotel is located just 15 miles outside of the Denver International Airport and across the street from the Anschutz Medical Campus, the largest academic health center in the Rocky Mountain region.

Most Powerful Salespeople 2019: Cisco Systems' Jennifer Chang

She now leads the Federal Civilian Scientific team at Cisco Systems, which is responsible for $250 million in business. The team is made up of 10 sales professionals, nine systems engineers and 20 integrated team members across Cisco.
Edit ModuleShow Tags
Edit ModuleEdit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags