Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at noon PT/1 p.m. MT/3 p.m. ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.

The most notable provisions of the new law are discussed below.

Data Security Requirements

For the first time, covered entities that maintain, own or license “personal identifying information” (PII) of a Colorado resident are required to implement and maintain reasonable security procedures and practices that are “appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”

The law defines PII broadly to include a social security number; personal identification number; password; pass code; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student or military identification number; or financial transaction device (as defined in C.R.S. § 18-5-701(3)).

Covered entities also must take measures to protect PII when transferring it to third parties. Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity “shall require” the third-party service provider to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII disclosed and reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction. A “third-party service provider” is defined as an entity that “has been contracted to maintain, store, or process personal information on behalf of a covered entity.”

The law also requires covered entities that maintain electronic or paper documents that contain PII to develop a written policy for the destruction of such documents when they are no longer needed.

The Attorney General’s office is authorized to enforce these new requirements and may bring an action in law or equity to ensure compliance or recover direct economic damages resulting from a violation.

As a consequence of these new requirements, covered entities should consider developing and implementing written information security programs that include appropriate administrative, technical and physical safeguards for the types of PII that they maintain, own or license.

Changes to Colorado’s Breach Notification Law

The new law strengthens and expands Colorado’s data breach notification law. Perhaps the most significant change is that covered entities now must notify affected individuals within 30 days after determining that a security breach occurred that resulted in, or is likely to result in, misuse of personal information. Colorado’s 30-day deadline is the shortest of any state. Florida also has a 30-day deadline but allows for an additional 15 days under certain circumstances.

The new law drastically expands the types of information that will trigger a breach notification obligation if compromised. Specifically, the law defines “personal information” to mean a Colorado resident’s first name or first initial and last name in combination with any of the following data elements: social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data. The definition also includes a Colorado resident’s username or e-mail address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account. However, a covered entity does not need to provide notice if the information was encrypted unless the encryption key also was compromised.

Importantly, the law does not create exemptions for entities subject to reporting requirements under the Gramm-LeachBliley Act or HIPAA. Rather, if there is a conflict between the 30-day time period for providing notice under Colorado law and a time period in another federal or state law, the law with the shortest time frame for providing notice controls.

The law also specifies what type of information must be included in the notice, such as a description of the PII involved in the breach, the date or estimated date of the breach, and contact information for the Federal Trade Commission and credit reporting agencies. If the breach involves the compromise of login information, a covered entity also is required to notify individuals to change their login information for that account and any other account that uses the same login information.

A covered entity must notify the Colorado Attorney General’s office if it provides notice to 500 or more Colorado residents, and it must notify credit reporting agencies if it is provides notice to more than 1,000 residents.

If a third-party servicer provider experiences a data breach, it must notify the covered entity “in the most expedient time possible, and without unreasonable delay.”

As with the new data security requirements, the Attorney General’s office is charged with enforcing violations of the notification requirements. However, a covered entity that maintains its own notification procedures as part of an information security policy that is consistent with the new law is in compliance with the law’s requirements if the covered entity follows those procedures. Therefore, to ensure compliance, covered entities should consider developing and implementing incident response plans that are consistent with the new law.

Finally, the law adds new provisions that create similar obligations for government entities.

The law will become effective on September 1, 2018.