Edit ModuleShow Tags

Colorado Enacts New Data Security Law – Are You in Compliance?

Data security requirements regarding the disposal of personal identifying information


On May 29, Gov. John Hickenlooper signed HB-1128 into law. Importantly, the Bill amends the State’s data breach notification law to require that affected Colorado residents be notified within 30 days of a data breach, and specifies the information that must be included in the data breach notice. The new law, which takes effect Sept. 1, applies to “covered entities,” (if your business maintains, owns or licenses information of Colorado residents, regardless of where the business or data is based, it is a “covered entity”), also sets forth certain data security requirements and adds requirements regarding the disposal of personal identifying information.

Among other amendments to Colorado’s existing data breach notification law, the new law defines “personal information” as a combination of a Colorado resident’s first name or initial and last name along with one or more of the following:

1. Social Security number

2. Student, military or passport identification number

3. Driver’s license number or identification card number

4. Medical information

5. Health insurance identification number

6. Biometric data

The definition of “personal information” also includes a Colorado resident’s

1. Username or email address in combination with a password or security questions and answers that would enable access to an online account

2. Account number or credit or debit card number in combination with any required security code, access code or password that would enable access to that account.

If a data breach has affected more than 500 Colorado residents (or is reasonably believed to have done so), those residents must be notified of the breach within 30 days (with no extensions), and the Colorado Attorney General must also be provided notice of the breach, regardless of what other security breach procedures the entity might maintain.

The notice must contain certain information, including:

  1. The date or estimated date or estimated date range of the breach
  2. A description of the personal information breached or reasonably believed to have been breached
  3. The entity’s contact information
  4. The toll-free numbers, addresses and websites for consumer reporting agencies and the FTC
  5. A statement that the Colorado resident can obtain information from the FTC and the credit reporting agencies regarding fraud alerts and security freezes. If the breach involves a Colorado resident’s username or email address in combination with a password or security questions and answers that would enable access to an online account, the entity must also direct affected individuals to take appropriate steps to protect their online accounts

Additional provisions of the bill require covered entities to ensure that third-party vendors protect person information before it is shared with the vendor and to implement written policies governing secure document disposal.

The new law does not include exemptions for size or type of entity, and coverage extends to government agencies. The law authorizes the Attorney General to bring an action to ensure compliance and/or recover damages, and authorized relief may include criminal charges.

Edit Module
Danielle Urban

Danielle S. Urban is a partner in the Denver office of Fisher Phillips, representing employers nationally in labor, employment, civil rights, employee benefits and immigration matters. Contact her at durban@fisherphillips.com or 303.218.3650.

Get more content like this: Subscribe to the magazine | Sign up for our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

6 Questions with Colorado Women’s Hall of Fame Inductee Velveta Golightly-Howell

Throughout her career, working at the local, state, regional and federal levels, Howell has become a role model for other African American women and girls. Currently, she serves as one of twelve appointees to the Robert Wood Johnson-funded Colorado Healthcare Reform Executive Steering Committee and Turning Point Initiative.

Fighting white-collar crime by crunching numbers

The veteran Internal Revenue Service special agent pieces together records to complete a picture of white-collar crimes and bring charges against their perpetrators: financial violations, tax fraud, money laundering, racketeering and more. And through her work with the IRS’ Adrian Project, she’s showing Metropolitan State University of Denver accounting students how number-crunching can fight crime

Executive Living: Lakehouse blends elegance with healthy living

Lakehouse offers the rare opportunity to own a waterfront home just three miles from Downtown Denver. Blending timeless design, extensive amenities and stunning views of the water, mountains and city, Lakehouse delivers sophisticated maintenance-free living in a burgeoning urban location.
Edit ModuleShow Tags
Edit Module


Edit ModuleShow Tags
Edit Module
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags