Edit ModuleShow Tags

What Companies Need to Know About Changes to Colorado's Cybersecurity Law

New legislation passed by in Colorado and went into affect September 1


Entities doing business in Colorado will need to comply with new data security requirements as a result of legislation passed by the Colorado legislature that went into effect on September 1. The legislation was spearheaded by the Colorado Attorney General’s office to strengthen the office’s ability to investigate and take action against entities that do not take proper measures to protect the confidential information of Colorado residents.

Specifically, the new law requires covered entities to:

  • Implement and maintain reasonable security measures to protect paper and electronic documents containing personal identifying information of Colorado residents;
  • Contractually require third-party service providers to implement and maintain reasonable security measures to protect paper and electronic documents containing personal identifying information of Colorado residents; and
  • Implement a written policy to dispose of documents containing personal identifying information of Colorado residents.

The law defines “personal identifying information” broadly to include social security numbers, personal identification numbers, passwords, pass codes, official state or government-issued drivers’ license or identification card numbers, government passport numbers, biometric data, employer identification numbers, student identification numbers, military identification numbers and financial transaction devices.


The law also significantly amends Colorado’s data breach notification statute to make it one of the strictest in the country. Under the amended law, if a business suspects it experienced a security breach, it must conduct a prompt investigation to determine whether a compromise of “personal information” occurred. If so, it must notify affected Colorado residents within 30 days and provide specific information as to the nature of the breach, such as a description of the personal information that was compromised and the date of the breach. Notice also must be provided to the Colorado Attorney General’s office if the breach affected the personal information of 500 or more Colorado residents.

The new law drastically expands the type of information that will trigger a breach notification obligation if compromised. Specifically, the law defines “personal information” to mean a Colorado resident’s first name or first initial and last name in combination with any of the following data elements: social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data. The definition also includes a Colorado resident’s username or email address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.

To ensure compliance with the law, covered entities should develop and implement:

  • A written information security program containing administrative, technical, and physical safeguards to protect personal identifying information;
  • A written document retention/disposal policy that complies with the law’s requirements;
  • A third-party vendor-management program that ensures personal identifying information is treated properly when transferred to third-party service providers; and
  • An incident-response plan that complies with the law’s breach notification requirements.

David M. Stauss is a partner at Ballard Spahr's Denver office and Gregory P. Szewczyk is an associate.

Edit Module

Get more content like this: Subscribe to the magazine | Sign up for our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

6 Questions with Colorado Women’s Hall of Fame Inductee Velveta Golightly-Howell

Throughout her career, working at the local, state, regional and federal levels, Howell has become a role model for other African American women and girls. Currently, she serves as one of twelve appointees to the Robert Wood Johnson-funded Colorado Healthcare Reform Executive Steering Committee and Turning Point Initiative.

Fighting white-collar crime by crunching numbers

The veteran Internal Revenue Service special agent pieces together records to complete a picture of white-collar crimes and bring charges against their perpetrators: financial violations, tax fraud, money laundering, racketeering and more. And through her work with the IRS’ Adrian Project, she’s showing Metropolitan State University of Denver accounting students how number-crunching can fight crime

Executive Living: Lakehouse blends elegance with healthy living

Lakehouse offers the rare opportunity to own a waterfront home just three miles from Downtown Denver. Blending timeless design, extensive amenities and stunning views of the water, mountains and city, Lakehouse delivers sophisticated maintenance-free living in a burgeoning urban location.
Edit ModuleShow Tags
Edit Module


Edit ModuleShow Tags
Edit Module
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags