New Colorado Law Sets Shortest Data Breach Notification Requirements in U.S.

What you need to know to be ready by Sept. 1, 2018

On May 29, Governor Hickenlooper signed into law House Bill 18-1128, which sets stricter requirements for data breach notifications, reasonable data security, and the disposal of personal information regarding Colorado residents.

Under the new law, which takes effect in less than 90 days on September 1, covered entities are required to notify Colorado residents of the unauthorized acquisition of personal information within 30 days of discovering a security breach. Currently, this is the shortest time frame of any U.S. state (Florida also has 30-day notification period, but allows an additional 15 days under certain circumstances). A covered entity is an individual or legal entity that maintains, owns, or licenses personal information in the course of their business, but excludes third-party service providers as defined under the new law.

The new law also:

• Expands the definition of “personal information” to mean a Colorado resident’s first name or first initial and last name in combination with any one of the following data elements that relate to a Colorado resident: social security number; student, military, or passport identification number; driver’s license number of identification card number; medical information; health insurance identification number; biometric data; username or e-mail address, in combination with a password or security questions and answers that would permit access to an online account; or account number or credit/debit card number in combination with any required security code, access code, or password that would permit access to the account.
• Requires that covered entities provide Colorado residents with the estimated date of the security breach and a description of the information exposed as well as the covered entity’s contact information, and consumer reporting and credit reporting resources.
• Adds a new requirement to notify the Colorado Attorney General about security breaches impacting at least 500 residents.

Notably, the law does not create exemptions for covered entities subject to reporting requirements under the GLBA or HIPAA, and if a conflict exists between the 30-day notice period and a time period under another state or federal law, the shortest notice period applies.

“The state of Colorado is taking a strong position to ensure consumers are informed and have an opportunity to respond quickly if their personal information is exposed,” said Chris Achatz, data privacy attorney at KO. “Businesses working with Colorado residents should implement policies and procedures promptly to comply with the new law.”

For the first time in Colorado, the law requires businesses to “implement and maintain reasonable security procedures and practices” that are appropriate to the nature of the information and the size and scope of the business operations. The new law requires covered entities to flow down this requirement to implement reasonable security measures to its third-party service providers in contracts that address the use and processing of such information. Covered entities must also develop a written policy for the destruction and proper disposal of paper and electronic information.

For more information, please contact Chris Achatz or Ben Oelsner with KO’s privacy practice.