Edit ModuleShow Tags

What Companies Need to Know About Changes to Colorado's Cybersecurity Law

New legislation passed by in Colorado and went into affect September 1


Entities doing business in Colorado will need to comply with new data security requirements as a result of legislation passed by the Colorado legislature that went into effect on September 1. The legislation was spearheaded by the Colorado Attorney General’s office to strengthen the office’s ability to investigate and take action against entities that do not take proper measures to protect the confidential information of Colorado residents.

Specifically, the new law requires covered entities to:

  • Implement and maintain reasonable security measures to protect paper and electronic documents containing personal identifying information of Colorado residents;
  • Contractually require third-party service providers to implement and maintain reasonable security measures to protect paper and electronic documents containing personal identifying information of Colorado residents; and
  • Implement a written policy to dispose of documents containing personal identifying information of Colorado residents.

The law defines “personal identifying information” broadly to include social security numbers, personal identification numbers, passwords, pass codes, official state or government-issued drivers’ license or identification card numbers, government passport numbers, biometric data, employer identification numbers, student identification numbers, military identification numbers and financial transaction devices.


The law also significantly amends Colorado’s data breach notification statute to make it one of the strictest in the country. Under the amended law, if a business suspects it experienced a security breach, it must conduct a prompt investigation to determine whether a compromise of “personal information” occurred. If so, it must notify affected Colorado residents within 30 days and provide specific information as to the nature of the breach, such as a description of the personal information that was compromised and the date of the breach. Notice also must be provided to the Colorado Attorney General’s office if the breach affected the personal information of 500 or more Colorado residents.

The new law drastically expands the type of information that will trigger a breach notification obligation if compromised. Specifically, the law defines “personal information” to mean a Colorado resident’s first name or first initial and last name in combination with any of the following data elements: social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data. The definition also includes a Colorado resident’s username or email address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.

To ensure compliance with the law, covered entities should develop and implement:

  • A written information security program containing administrative, technical, and physical safeguards to protect personal identifying information;
  • A written document retention/disposal policy that complies with the law’s requirements;
  • A third-party vendor-management program that ensures personal identifying information is treated properly when transferred to third-party service providers; and
  • An incident-response plan that complies with the law’s breach notification requirements.

David M. Stauss is a partner at Ballard Spahr's Denver office and Gregory P. Szewczyk is an associate.

Edit Module

Get more content like this: Subscribe to the magazine | Sign up for our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

Norwich University launches online bachelor's program in business administration

The program will start with six concentration paths, which include: cyber security management, human resource management, leadership studies, procurement and contract management, financial services management and supply chain management.

How companies can win with philanthropy

Simply giving money to a charity or philanthropic organization doesn’t necessarily carry the same impact as taking the time to work side-by-side with others. Donating time builds stronger teams and creates a sense of empathy among employees

Pitkin County takes aim on high-energy mansions

Aspen joins Denver, Boulder and Fort Collins among the 31 jurisdictions across the United States that employ energy benchmarking as a tool for driving down building energy use.
Edit ModuleShow Tags
Edit ModuleEdit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags