Edit ModuleShow Tags

Colorado Enacts New Data Security Law – Are You in Compliance?

Data security requirements regarding the disposal of personal identifying information


On May 29, Gov. John Hickenlooper signed HB-1128 into law. Importantly, the Bill amends the State’s data breach notification law to require that affected Colorado residents be notified within 30 days of a data breach, and specifies the information that must be included in the data breach notice. The new law, which takes effect Sept. 1, applies to “covered entities,” (if your business maintains, owns or licenses information of Colorado residents, regardless of where the business or data is based, it is a “covered entity”), also sets forth certain data security requirements and adds requirements regarding the disposal of personal identifying information.

Among other amendments to Colorado’s existing data breach notification law, the new law defines “personal information” as a combination of a Colorado resident’s first name or initial and last name along with one or more of the following:

1. Social Security number

2. Student, military or passport identification number

3. Driver’s license number or identification card number

4. Medical information

5. Health insurance identification number

6. Biometric data

The definition of “personal information” also includes a Colorado resident’s

1. Username or email address in combination with a password or security questions and answers that would enable access to an online account

2. Account number or credit or debit card number in combination with any required security code, access code or password that would enable access to that account.

If a data breach has affected more than 500 Colorado residents (or is reasonably believed to have done so), those residents must be notified of the breach within 30 days (with no extensions), and the Colorado Attorney General must also be provided notice of the breach, regardless of what other security breach procedures the entity might maintain.

The notice must contain certain information, including:

  1. The date or estimated date or estimated date range of the breach
  2. A description of the personal information breached or reasonably believed to have been breached
  3. The entity’s contact information
  4. The toll-free numbers, addresses and websites for consumer reporting agencies and the FTC
  5. A statement that the Colorado resident can obtain information from the FTC and the credit reporting agencies regarding fraud alerts and security freezes. If the breach involves a Colorado resident’s username or email address in combination with a password or security questions and answers that would enable access to an online account, the entity must also direct affected individuals to take appropriate steps to protect their online accounts

Additional provisions of the bill require covered entities to ensure that third-party vendors protect person information before it is shared with the vendor and to implement written policies governing secure document disposal.

The new law does not include exemptions for size or type of entity, and coverage extends to government agencies. The law authorizes the Attorney General to bring an action to ensure compliance and/or recover damages, and authorized relief may include criminal charges.

Edit Module
Danielle Urban

Danielle S. Urban is a partner in the Denver office of Fisher Phillips, representing employers nationally in labor, employment, civil rights, employee benefits and immigration matters. Contact her at durban@fisherphillips.com or 303.218.3650.

Get more content like this: Subscribe to the magazine | Sign up for our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

Five Traits of Successful Solopreneurs

Typically, a solopreneur’s income is a direct result of his or her skills, personality or presence. In other words, if you’re a solopreneur, your business doesn’t operate without you.

Faces of Public Accounting: ACM

ACM provides audit, tax and consulting services to the Rocky Mountain Region’s entrepreneurial and middle market companies along with their owners, as well as public sector and philanthropic organizations.

School's Out: 11 Critical Skills for the Future

The Futurist lays out a few hard-to-teach skills and superpowers that will keep you employable for many decades to come.
Edit ModuleShow Tags
Edit ModuleEdit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags