As we were the first in the nation to report, in January, Colorado lawmakers proposed legislation that would significantly change the way in which entities operating in Colorado must protect confidential information and disclose breaches involving same.
Last week, the bill’s sponsors submitted an amended bill that revises a number of key provisions. Among other changes, the amended bill would require entities to notify Colorado residents within 30 days of discovery of a data breach. If enacted, Colorado would have the shortest time frame for disclosure in the country.
The bill’s sponsors also left little doubt that the proposed legislation was a reaction to the Equifax data breach. At a committee hearing held in Denver on February 14, co-sponsor Jeff Bridges (D-Arapahoe County) began his remarks by specifically identifying the Equifax breach as his motivation for sponsoring the bill. During his remarks, co-sponsor Cole Wist (R-Arapahoe County) stated that the legislation would provide some of the strongest protections for consumers in the country.
The Colorado legislature’s efforts are another reminder that states are continuing to take the lead in enacting privacy and cybersecurity legislation in the face of federal inaction.
For a discussion of the amended bill, see our alert, Update on Colorado’s Proposed Privacy and Cybersecurity Legislation. To listen to the committee hearing, including testimony from Ballard Spahr partner David Stauss, click here.