Edit ModuleShow Tags

Colorado's Revised Data Disclosure Law

One of the most stringent in the country


Colorado’s Protections for Consumer Data Privacy law (“new law”) takes effect September 1 and requires that businesses holding personal information for Colorado residents destroy the data they don’t need, protect the data they decide to keep and disclose any security breaches involving that data within 30 days of its occurrence. The new law amends existing obligations and adds new obligations applicable to businesses holding information about Colorado residents.


Colorado law already had a definition of PII. The new law clarifies the definition and expands the existing requirement to dispose of paper documents containing PII. Now, businesses must develop a written policy to destroy or dispose of paper and electronic documents containing PII. Businesses must destroy paper and electronic documents that “are no longer needed.”

The new law creates an additional requirement for businesses to protect Colorado residents’ PII from unauthorized access by implementing reasonable security procedures and practices based on (1) the nature and size of the business, and (2) the nature (sensitivity) of the PII.


The law also revises Colorado’s breach notification requirements. The revision expands the original definition of “personal information” (not to be confused with the law’s definition of PII described above) and sets a deadline for disclosing security breaches. A Colorado Resident’s personal information now includes two new categories in addition to the original categories. The new categories are:

  1. The resident’s username or e-mail address in combination with a password or security questions and answers, that would permit access to an online account;
  2. The resident’s account number or credit or debit card number in combination with any required security code, or password that would permit access to that account.

If a business learns that a security breach may have occurred, the organization must promptly investigate the likelihood that Colorado residents’ personal information has been, or will be, misused. Unless the investigation concludes that misuse of personal information is unlikely to occur, the business must disclose the security breach without unreasonable delay and no later than 30 days after discovering the security breach may have taken place.

The new law requires additional notifications be made in certain cases. If more than 1,000 Colorado residents have to be notified of a security breach, the Covered Entity is also required to notify all consumer reporting agencies that compile and maintain files on consumers nationwide.

If 500 or more Colorado residents are reasonably believed to have been affected by the security breach, the Covered Entity must also notify the Colorado Attorney General of the security breach. The deadline to notify the Attorney general is also 30 days after the point in time where sufficient evidence exists to conclude that a security breach has taken place.

Erik Dullea is a partner in Husch Blackwell LLP’s Denver office and belongs to the firm’s Technology, Manufacturing & Transportation industry group.


Edit Module

Get more content like this: Subscribe to the magazine | Sign up for our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

Learning from Multi-Billion Dollar Brands with Humble Beginnings

Today, these brands are a household name, but they weren’t always. From utilizing technical innovations, savvy customer experiences and a genuine commitment to community, these companies rose to the top.

What Is Going On With the Denver Metro Real Estate Market?

With stocks and rates doing so well, one would think real estate would follow right along, but this is not the case in today’s economy. There is something more going on causing consumers to hesitate on home purchases.

Successful CEOs Must Venture Beyond the Castle Walls

Half-hearted CEOs who rarely venture outside the castle walls end up with dysfunctional (or worse) organizations. But there are practices you can develop to stay current with the world outside your office.
Edit ModuleShow Tags
Edit ModuleEdit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags