Share this article on:
Colorado Governor John Hickenlooper has signed a bill – HB 1128 – into law that strengthens protections for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Legislature. The bill will take effect from September 1, 2018.
The bill requires organizations operating in the state of Colorado to implement reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is protected. The bill also reduces the time for notifying the state attorney general about breaches of PII and introduces new rules for disposing of PII when it is no longer required.
Personal information is classed as first name and last name or first initial and last name in combination with any of the following data elements (when not encrypted, redacted, or secured by another means that renders the information unreadable):
- Social Security number
- Student ID number
- Military ID number
- Passport number
- Driver’s license number or ID card number
- Medical information
- Health insurance ID number
- Biometric data
- Email addresses in combination with passwords or security Q&As
- Financial account numbers, and credit cards and debit cards with associated security codes that would permit access/use
Reasonable Security Measures Must be Implemented
Covered entities will be required to implement and maintain “Reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Those measures should protect PII from unauthorized access, modification, disclosure, and destruction. In cases where PII is passed to a third party, the covered entity must ensure the third party also has reasonable security measures in place.
A written policy must be developed by all businesses that maintain the personal information of Colorado residents covering the disposal of that information when it is no longer required. Electronic data and physical documents containing PII must be disposed of securely. The bill suggests “Shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.”
30-Day Maximum Time Limit for Issuing Breach Notifications
When the bill was first introduced, it required the state attorney general to be notified of a breach of PII within 7 days of discovery. Such a short time frame for issuing notifications can help to ensure prompt action is taken to prevent harm or loss, although such a short time frame means notifications would need to be issued before it would be possible, in many cases, to determine whether there had been any misuse of data. This requirement of the bill attracted considerable criticism from large businesses operating in Colorado.
After careful consideration, this requirement was amended and the time limit for issuing notifications has been extended to 30 days following the discovery of the breach. Even so, this makes the notification requirements the strictest of any state. The state attorney general only needs to be notified of the breach if it has impacted more than 500 Colorado residents. Regardless of the scale of the breach, affected individuals must be notified within 30 days.
HIPAA-covered entities should note that the 30-day time limit will apply even though HIPAA allows up to 60 days to issue notifications. HIPAA-covered entities and entities covered by the Gramm-Leach-Bliley Act are not exempt.
Breach notices are required for any security breach that exposes personal information, except a good faith acquisition of personal information by an employee or agent of a covered entity if the information is not used for a purpose unrelated to the lawful operation of the business and if that information is not subject to further unauthorized disclosure.
A notice must also be placed on the website of the breached entity and a notification issued to statewide media.