On September 1, 2018, a new Colorado law took effect that, among other things, amends the state’s data breach law to: (1) expand the scope of the categories of “personal information” that trigger notification requirements; (2) require notification to residents and the state attorney general no more than 30 days after determining that a security breach has occurred; and (3) specify what must be included in these notifications.1 In addition, the statute requires entities that maintain, own, or license personal identifying information (PII) to implement and maintain reasonable security practices and procedures to secure PII and impose similar security obligations on third party service providers with which the entity shares PII. Finally, the law amends Colorado’s data disposal law to clarify the appropriate procedure for disposing of documents that contain PII. The passage of the Colorado law serves as a reminder that not only do state data breach notification requirements vary, but state laws also change over time in significant ways. Companies are well-advised to continue monitoring state laws for such changes.
Colorado previously defined “personal information” as a Colorado resident’s first name or first initial and last name in combination with any one of more of the following unencrypted, un-redacted, and unsecured data elements: (1) Social Security number; (2) driver’s license number or identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account.2
H.B. 18-1128 expands this definition to include a resident’s: (1) first name or first initial and last name in combination with the resident’s unencrypted, un-redacted student, military, or passport identification number; or medical information, health insurance identification number, or biometric data3; (2) username or email address, in combination with a password or security question and answer that would permit access to an online account; and (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to that account.
Timing. The most significant change to Colorado’s data breach law is the new 30-day security breach notification requirement. Previously, Colorado required notification to be made “in the most expedient time possible and without unreasonable delay,” which allowed for more compliance flexibility. Now, notice must be made “in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach has occurred.”4 “Determination that a security breach has occurred” means “the point in time at which there is sufficient evidence to conclude that a security breach has occurred.”5 Although “security breach” is defined as the unauthorized acquisition of unencrypted computerized data, the statute also provides that notification must be made when (1) encrypted or otherwise secured information is disclosed, and (2) the confidential process, encryption key, or other means to decipher the information is acquired or reasonably believed to have been acquired as part of the breach.6 Good faith acquisition of personal information by an employee or agent for business purposes is not a security breach if the information is not used for purposes other than lawful business operations or is not subject to further unauthorized disclosure.
Notice to the Attorney General. While Colorado previously did not require covered entities to notify the state attorney general of a security breach, notification to the attorney general is now required if the covered entity reasonably believes that the breach has affected 500 or more Colorado residents.7 This notice must also be made within 30 days of determining that a breach has occurred, unless the investigation determines that misuse of the information has not and is not likely to occur.
Content Requirements. The new law also includes specific content requirements for breach notices where Colorado was previously silent on this issue. These requirements include:
- The date, estimated date, or estimated date range of the security breach;
- A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach;
- Information that the resident can use to contact the covered entity to inquire about the security breach;
- The toll-free numbers, addresses, and websites for consumer reporting agencies;
- The toll-free number, address, and website for the Federal Trade Commission (FTC); and
- A statement that the resident can obtain information from the FTC and credit reporting agencies about fraud alerts and security freezes.8
Substitute Notice. Substitute notice is permitted when: (1) the cost of providing notice is more than $250,000; (2) more than 250,000 Colorado residents need to be notified; or (3) the company does not have sufficient contact information to provide notice. Substitute notice can consist of email notice if the company has email addresses for members of the affected class, conspicuous posting of the notice on the company’s website, and notification to major statewide media.
Additional Remedial Measures. If a covered entity’s investigation reveals that personal information has been or is reasonably likely to be misused, the covered entity must—within 30 days of determining that a breach has occurred—direct affected persons to promptly change their passwords and security questions or answers, as applicable, or take other appropriate steps to protect their account with the covered entity and all other accounts for which they use the same username or email address and password or security question and answer.9 However, if the log-in credentials for email accounts furnished by the covered entity are compromised, the covered entity must comply with this requirement by written or telephonic notice, substitute notice, publication notice, or another alternative means.
Reasonable Security Standard
In addition to amending Colorado’s data breach law, the new law requires companies that maintain, own, or license Colorado residents’ PII, and do not maintain reasonable security procedures for protecting PII under another state or federal law or regulation, to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII and the size of the business and its operations.10 PII includes Social Security numbers, personal identification numbers, passwords, pass codes, official state or government-issued ID card numbers, government passport numbers, biometric data, and employer, student, or military ID numbers, and financial transaction device data.11
Companies with third party service providers must also impose reasonable data security obligations on those service providers that are appropriate to the nature of the PII they receive and reasonably designed, to protect the PII from unauthorized access, use, disclosure, or destruction.12 This requirement does not apply, however, if the company retains primary responsibility for implementing reasonable data security procedures and practices and implements and maintains technical controls that either: help protect the PII from unauthorized access, use, etc., or “effectively eliminate” the service provider’s ability to access the PII, notwithstanding their physical possession of it.
Finally, the new law amends Colorado’s data disposal law to require covered entities that are not in compliance with a state or federal data disposal law to develop a written policy for the destruction or proper disposal of paper and electronic documents containing PII. The policy must require that, when paper or electronic documents containing PII are no longer needed, the covered entity will destroy or arrange for the destruction of such documents by shredding, erasing, or otherwise modifying the PII contained in the documents to make them unreadable or indecipherable by any means.13
1 House Bill 18-1128, available at https://leg.colorado.gov/sites/default/files/documents/2018A/bills/2018a_1128_signed.pdf.
2 Colo. Rev. Stat. § 6-1-716 (2016).
3 “Biometric data” includes “unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account.” Colo. Rev. Stat. § 6-1-716(1)(a) (2018).
4 Id. § 6-1-716(2)(a) (emphasis added).
5 Id. § 6-1-716(1)(c).
6 Id. § 6-1-716(2)(a.4). Any waiver of these notification rights or responsibilities is considered void as against public policy. Id. § 6-1-716(2)(g).
7 Id. § 6-1-716(2)(f)(I).
8 Id. § 6-1-716(2)(a.2).
9 Id. § 6-1-716(2)(a.3).
10 Id. § 6-1-713.5(1).
11 Id. § 6-1-713(2)(b).
12 Id. § 6-1-713.5(2).
13 Id. § 6-1-713.