Just moments after compiling the latest updates for Arizona and Oregon, another data protection bill was signed! This time it was a Colorado bill signed into law by Governor John Hickenlooper. The bill will go into effect September 1, 2018.
Even now that there are 50 separate breach notification laws (plus US territories), state legislatures are continuing to change their laws to respond to widespread data breaches and address evolving technology.
Specifically, House Bill 1128, was one of three bills introduced during the 2018 Colorado legislative session looking to help consumers in the wake of high-profile data breaches affecting millions of customers. This bill passed unanimously in the legislature, signifying a bipartisan understanding that data security is a key issue for the State.
The other bills are (1) a noncontroversial bipartisan bill allowing guardians to freeze the credit reports of minors (which was signed by Gov. Hickenlooper); and (2) a bill allowing consumers to freeze their records if a company was hacked (which was defeated).
Some of the major changes under HB 1128 include:
- Data Disposal: HB 1128 creates more stringent requirements regarding the disposal of personal information, including a required written policy, and specified methods of destruction. Note that with respect to the data disposal requirements, “personal identifying information” (PII) is defined to include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device. This definition is not the same as the definition of “personal information” or “PI” in Colorado’s breach notification law.
- Personal Information: The definition of “personal information” (PI) has been expanded to include first name or first initial and last name in combination with student, military, or passport identification number, medical information, health insurance identification number, or biometric data. Personal information also includes a username or email address, in combination with a password or security questions and answers, that would permit access to an online account. Finally, PI includes a Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account. The full list of personal information is listed in the new House Bill 1128.
- Breach Notification Timeline: The timeline for notification has changed from “in the most expeditious manner possible and without unreasonable delay” to “not later than 30 days after the date of determination that a security breach has occurred”. Colorado joins Florida as the only other state that requires notification of a security breach within the shortened timeframe of 30 days. And when Colorado and federal notification laws conflict, the amendment provides that “the law or regulation with the shortest time frame for notice to the individual controls.”
- Notification Content: The new amendment adds content requirements to the notification letter including (i) the date or estimated date range of the security breach; (ii) a description of the acquired personal information; (iii) a way for the resident to contact the organization; toll-free numbers, addresses, and websites for consumer reporting agencies (CRAs) and the Federal Trade Commission (FTC); (iv) a statement that the resident can obtain information from the FTC and CRAs about fraud alerts and security freezes; and, (v) if the acquired data included a username or email address in combination with a password or security questions and answers for an online account, a statement directing the person to promptly change the password and security questions or answers or take other steps appropriate to protect online accounts that use the same username or email address.
- Attorney General Notification: If notice of a security breach is made to 500 or more Colorado residents, the amendment adds a new requirement to notify the Colorado Attorney General within the same 30-day timeline.
- Encryption Safe Harbor Updates: The new amendment also requires disclosure when encrypted personal information is acquired with an encryption key or other means to decipher the secured information. This adjustment mirrors many of the new breach notification clarifications on encryption.
- Security Requirements Added: Brand new security requirements are listed under Section 6-1-713.5. Specifically, to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” The amendment also requires data owners, maintainers, and licensors to include appropriate security measures in contracts with third-party service providers that receive personal identifying information from the covered entity and that are maintaining, storing, or processing that data on behalf of the covered entity.
- New requirements for government entities: The amendment also adds new sections to Title 24 of the Colorado Revised Statutes that create obligations for government entities similar to those discussed above.
For questions about this update, or other evolving breach notification laws, you can contact our privacy and security professionals at firstname.lastname@example.org.