Edit ModuleShow Tags

Colorado Enacts New Data Security Law – Are You in Compliance?

Data security requirements regarding the disposal of personal identifying information


On May 29, Gov. John Hickenlooper signed HB-1128 into law. Importantly, the Bill amends the State’s data breach notification law to require that affected Colorado residents be notified within 30 days of a data breach, and specifies the information that must be included in the data breach notice. The new law, which takes effect Sept. 1, applies to “covered entities,” (if your business maintains, owns or licenses information of Colorado residents, regardless of where the business or data is based, it is a “covered entity”), also sets forth certain data security requirements and adds requirements regarding the disposal of personal identifying information.

Among other amendments to Colorado’s existing data breach notification law, the new law defines “personal information” as a combination of a Colorado resident’s first name or initial and last name along with one or more of the following:

1. Social Security number

2. Student, military or passport identification number

3. Driver’s license number or identification card number

4. Medical information

5. Health insurance identification number

6. Biometric data

The definition of “personal information” also includes a Colorado resident’s

1. Username or email address in combination with a password or security questions and answers that would enable access to an online account

2. Account number or credit or debit card number in combination with any required security code, access code or password that would enable access to that account.

If a data breach has affected more than 500 Colorado residents (or is reasonably believed to have done so), those residents must be notified of the breach within 30 days (with no extensions), and the Colorado Attorney General must also be provided notice of the breach, regardless of what other security breach procedures the entity might maintain.

The notice must contain certain information, including:

  1. The date or estimated date or estimated date range of the breach
  2. A description of the personal information breached or reasonably believed to have been breached
  3. The entity’s contact information
  4. The toll-free numbers, addresses and websites for consumer reporting agencies and the FTC
  5. A statement that the Colorado resident can obtain information from the FTC and the credit reporting agencies regarding fraud alerts and security freezes. If the breach involves a Colorado resident’s username or email address in combination with a password or security questions and answers that would enable access to an online account, the entity must also direct affected individuals to take appropriate steps to protect their online accounts

Additional provisions of the bill require covered entities to ensure that third-party vendors protect person information before it is shared with the vendor and to implement written policies governing secure document disposal.

The new law does not include exemptions for size or type of entity, and coverage extends to government agencies. The law authorizes the Attorney General to bring an action to ensure compliance and/or recover damages, and authorized relief may include criminal charges.

Edit Module
Danielle Urban

Danielle S. Urban is a partner in the Denver office of Fisher Phillips, representing employers nationally in labor, employment, civil rights, employee benefits and immigration matters. Contact her at durban@fisherphillips.com or 303.218.3650.

Get more content like this: Subscribe to the magazine | Sign up for our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

Advancing women to the boardroom is good for business

In the last weeks of 2020, the Denver campaign for 2020 Women on Boards looks to meet (or exceed) the national percentage of women on local corporate boards.

The Wild West of Hiring: What, why and how to measure results

It’s important that we pay attention to both skills and attitude, experience and culture fit, character and personality. A well-defined hiring process based on data and punctuated with personal observation helps us choose the right people.

Bobby Stuckey’s appetite for restaurant chaos hasn’t dimmed

With his business partners, Stuckey has been involved in Frasca, Pizzeria Locale, a 2.0 joint venture with Chipotle, Tavernetta, and is currently working on a new project: Sunday Vinyl.
Edit ModuleShow Tags
Edit Module


Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags