Recently, Colorado’s governor signed into law House Bill 18-1128 “concerning strengthening protections for consumer data privacy” (the “Bill”), which takes effect September 1, 2018. Among other provisions, the Bill (1) amends the state’s data breach notification law to require notice to affected Colorado residents and the Colorado Attorney General within 30 days of determining that a security breach occurred, imposes content requirements for the notice to residents and expands the definition of personal information; (2) establishes data security requirements applicable to businesses and their third-party service providers; and (3) amends the state’s law regarding disposal of personal identifying information.
Key breach notification provisions of the Bill include:
- Definition of Personal Information: The Bill amends Colorado’s breach notification law to define “personal information” as a Colorado resident’s first name or first initial and last name in combination with one or more of the following data elements: (1) Social Security number; (2) student, military or passport identification number; (3) driver’s license number or identification card number; (4) medical information; (5) health insurance identification number; or (6) biometric data. The amended law’s definition of “personal information” also includes a Colorado resident’s (1) username or email address in combination with a password or security questions and answers that would permit access to an online account and (2) account number or credit or debit card number in combination with any required security code, access code or password that would permit access to that account.
- Attorney General Notification: If an entity must notify Colorado residents of a data breach, and reasonably believes that the breach has affected 500 or more residents, it must also provide notice to the Colorado Attorney General. Notice to the Attorney General is required even if the covered entity maintains its own procedures for security breaches as part of an information security policy or pursuant to state or federal law.
- Timing: Notice to affected Colorado residents and the Colorado Attorney General must be made within 30 days after determining that a security breach occurred.
- Content Requirements: The Bill also requires that notice to affected Colorado residents must include (1) the date, estimated date or estimated date range of the breach; (2) a description of the personal information acquired or reasonably believed to have been acquired; (3) contact information for the entity; (4) the toll-free numbers, addresses and websites for consumer reporting agencies and the FTC; and (5) a statement that the Colorado resident can obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes. If the breach involves a Colorado resident’s username or email address in combination with a password or security questions and answers that would permit access to an online account, the entity must also direct affected individuals to promptly change their password and security questions and answers, or to take other steps appropriate to protect the individual’s online account with the entity and all other online accounts for which the individual used the same or similar information.
Key data security and disposal provisions of the Bill include:
- Definition of Personal Identifying Information: The Bill defines personal identifying information as “a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data…; an employer, student, or military identification number; or a financial transaction device.”
- Applicability: The information security and disposal provisions of the Bill apply to “covered entities,” defined as persons that maintain, own or license personal identifying information in the course of the person’s business, vocation or occupation.
- Protection of Personal Identifying Information: The Bill requires a covered entity that maintains, owns or licenses personal identifying information to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information it holds, and the nature and size of the business and its operations.
- Third-Party Service Providers: Under the Bill, a covered entity that discloses information to a third-party service provider must require the service provider to implement and maintain reasonable security procedures and practices that are (1) appropriate to the nature of the personal identifying information disclosed and (2) reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure or destruction. A covered entity does not need to require a third-party service provider to do so if the covered entity agrees to provide its own security protection for the information it discloses to the provider.
- Written Disposal Policy: The Bill requires covered entities to create a written policy for the destruction or proper disposal of paper and electronic documents containing personal identifying information that requires the destruction of those documents when they are no longer needed. A covered entity is deemed in compliance with this section of the Bill if it is regulated by state or federal law and maintains procedures for disposal of personal identifying information pursuant to that law.