Colorado Strengthens Data Breach Notification Law

By: Jason Taylor

This is the first in a series of posts that the firm will be publishing over the course of the next few weeks in which we address the continuing evolution and rapidly-changing state of U.S. privacy breach notification legislation.

We start our survey in Colorado, which enacted an amended data breach notification statute on May 31, 2018 that aligns the state’s statutory scheme with some of the nation’s strictest.

Colorado’s amended law is effective as of September 1, 2018, and modifies Colorado’s existing statute in several significant areas, including by:

  • requiring persons and entities (“Covered Entities”) that hold either electronic or paper copies of Colorado residents’ “personal information” (“PII”), including biometric data, to implement and employ “reasonable security procedures and practices” for protecting and disposing of PII; and
  • reducing to a maximum of 30 days the time frame afforded Covered Entities to notify affected Colorado residents and, as appropriate, the Attorney General once the Covered Entity has determined that a security breach has occurred.

Here’s a brief summary of each of these modifications:

Reasonable Security Procedures And Practices

The amended law requires any “person” who maintains a Colorado resident’s PII to implement reasonable safeguards to protect such PII. These procedures and practices must be “appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”

Unless the Covered Entity agrees to provide its own security protection for PII it discloses to third parties, it must require the third party service provider receiving or maintaining the subject PII to implement and maintain reasonable security procedures and practices, as appropriate to the nature of the personal identifying information disclosed to the third-party service provider and reasonably designed to help protect PII from unauthorized access, use, modification, disclosure, or destruction. As a result, and as is the case in Massachusetts and California, Covered Entities must scrutinize their service provider contracts to ensure appropriate security procedures and practices flow down to these vendors to meet the new law’s requirements.

Covered Entities also must develop and maintain a written policy for the destruction and proper disposal of electronic and paper documents containing PII. The amended statute requires all “covered entit[ies] in the state that maintain[] paper or electronic documents during the course of business that contain personal identifying information” to develop and implement a written policy for the destruction or disposal of such information once such documentation is “no longer needed.”

Expanded Data Security Breach Notification Obligations

The amended law also adds a number of new data elements to the definition of PII.

Colorado’s existing law defined PII as a Colorado resident’s first name or first initial and last name in combination with one or more of the following unencrypted, unprotected, or unsecured data elements: social security number; driver’s license number or identification card number; or account number or credit/debit card number, in combination with any required security code, access code, or password permitting access to a resident’s financial account.

As amended, PII now includes the following additional data elements: student, military, or passport identification number; medical information; health insurance identification number; or biometric data. PII also now includes a Colorado resident’s username or email address, in combination with a password or security questions/answers permitting access to an online account.

In addition, Covered Entities will now be required to notify affected Colorado residents of a security breach no later than 30 days after the date the Covered Entity determines that the breach occurred. If greater than 500 Colorado residents are affected by the incident, the state’s Attorney General also must be notified. Along with Florida, this is shortest time frame mandated by any state by which Covered Entities must provide notification of a breach.

Colorado’s amended statute also dictates the types and nature of the information about which affected persons and, as appropriate, the Attorney General must be notified, including:

  • the date, estimated date or date range of the security breach;
  • a description of the PII compromised;
  • a way for the resident to contact the organization;
  • toll-free number, addresses, and website for consumer reporting agencies and the FTC;
  • a statement that the resident can obtain information from the FTC or credit-reporting agency about fraud alerts and security freezes; and
  • if the acquired data included a username or email address with password or security questions/answers for an online account, a statement directing the person to promptly change the password and security questions for their online account or take other steps to protect the account.

The law also states that where Colorado and federal notification laws conflict (e.g., HIPAA or the Gramm-Leach-Bliley Act), “the law or regulation with the shortest time frame for notice to the individual controls.”

Colorado now joins a number of other states that have enacted, amended, or are considering amending, their privacy breach notification laws to include more modern, and more robust, reporting and data protection obligations.

Similar to Colorado’s 30-day breach notification requirement, states such as Alabama, Arizona, New Mexico, Ohio, Oregon, Rhode Island, Tennessee, Vermont, Washington, and Wisconsin provide Covered Entities that experience a privacy breach with a relatively tight deadline — 45 days — to notify state residents of a privacy breach once a Covered Entity determines that a breach has occurred.

Other states such as Arkansas, California, Illinois, Maryland, Michigan, Nevada, Oregon, and Utah, among others, have also enacted social media privacy laws regulating the use of and access to social media by employers and educational institutions. Such laws, while different in scope and degree, generally prohibit employers and/or higher education institutions from requesting or demanding access to social media accounts of employees, job applicants, and/or students when those sites are not fully public.  

Many states also have enacted privacy laws that specifically protect children’s PII, including certain K-12 student information.

Perhaps most forward thinking of the states, Washington, Illinois and Texas have passed biometric privacy laws to regulate and protect the collection and use of biometric information such as a person’s unique facial, fingerprint, or other biological characteristics. These laws have been the basis for several recent lawsuits against companies collecting such data improperly, and may present a new front in data privacy and protection.

The next stop on our nationwide tour will be in California, which, on June 28, 2018, enacted a new data privacy law entitled the California Consumer Privacy Act of 2018 (“CCPA”). CCPA goes into effect on January 1, 2020, and will supplement California’s already existing data breach notification law. Barring other states’ enhancements between now and then, and assuming CCPA is not amended before it becomes effective on January 1, 2020, California’s combined privacy and breach notification laws will be the most robust in the country. While the laws do not mirror Europe’s General Data Protection Regulation (“GDPR”), they are as close as any U.S. legislation has gotten to date. Some already are referencing CCPA as “California’s GDPR”.