What Companies Need to Know About Changes to Colorado's Cybersecurity Law

Entities doing business in Colorado will need to comply with new data security requirements as a result of legislation passed by the Colorado legislature that went into effect on September 1. The legislation was spearheaded by the Colorado Attorney General’s office to strengthen the office’s ability to investigate and take action against entities that do not take proper measures to protect the confidential information of Colorado residents.

Specifically, the new law requires covered entities to:

• Implement and maintain reasonable security measures to protect paper and electronic documents containing personal identifying information of Colorado residents;
• Contractually require third-party service providers to implement and maintain reasonable security measures to protect paper and electronic documents containing personal identifying information of Colorado residents; and
• Implement a written policy to dispose of documents containing personal identifying information of Colorado residents.

The law defines “personal identifying information” broadly to include social security numbers, personal identification numbers, passwords, pass codes, official state or government-issued drivers’ license or identification card numbers, government passport numbers, biometric data, employer identification numbers, student identification numbers, military identification numbers and financial transaction devices.

DAVID STAUSS WROTE THE COLORADO HANDBOOK ON CYBERSECURITY

The law also significantly amends Colorado’s data breach notification statute to make it one of the strictest in the country. Under the amended law, if a business suspects it experienced a security breach, it must conduct a prompt investigation to determine whether a compromise of “personal information” occurred. If so, it must notify affected Colorado residents within 30 days and provide specific information as to the nature of the breach, such as a description of the personal information that was compromised and the date of the breach. Notice also must be provided to the Colorado Attorney General’s office if the breach affected the personal information of 500 or more Colorado residents.

The new law drastically expands the type of information that will trigger a breach notification obligation if compromised. Specifically, the law defines “personal information” to mean a Colorado resident’s first name or first initial and last name in combination with any of the following data elements: social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data. The definition also includes a Colorado resident’s username or email address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.

To ensure compliance with the law, covered entities should develop and implement:

• A written information security program containing administrative, technical, and physical safeguards to protect personal identifying information;
• A written document retention/disposal policy that complies with the law’s requirements;
• A third-party vendor-management program that ensures personal identifying information is treated properly when transferred to third-party service providers; and
• An incident-response plan that complies with the law’s breach notification requirements.

David M. Stauss is a partner at Ballard Spahr's Denver office and Gregory P. Szewczyk is an associate.