On May 29, 2018, Colorado Governor John Hickenlooper signed HB 18-1128, a law that aims to statutorily require reasonable procedures and practices for safeguarding personally identifiable information. The unanimously passed piece of legislation will take effect in September of this year and will impact not only businesses that are based in Colorado, but potentially also those who have clients or employees who reside in the state.
Introduced into the Colorado legislature back in January, the bill initially faced strong opposition from businesses, but was put to a vote after undergoing changes. The new law expands the meaning of “personal information” to define it as the first name or first initial and last name of a Colorado resident in combination with any of the following data elements (when such elements are not encrypted, redacted, or secured to render the name or element unreadable): social security number; passport identification number; student or military identification number; driver’s license number or state-issued identification card; medical information; health insurance identification number; or any biometric data. The law also defines “personal information” to encompass: a username or email address paired with a password or security question and answers allowing access to an online account; and a Colorado resident’s account number or credit or debit card number in combination with a security code, access code or password allowing access to the account.
The new law also requires businesses that suffer a data breach affecting more than 500 Colorado residents to notify the state Attorney General no later than 30 days after the date of determination that a data breach occurred. The 500-resident requirement does not make it the most stringent in the U.S., but the 30-day requirement is the shortest in the nation—making Colorado a national leader in this field. The law also does not exempt entities required to report under HIPAA or Gramm-Leach-Bliley, and if a conflict applies between the state statute and another state or federal law, the shortest notice period is to be applied—presumably, then, Colorado’s 30-day requirement.
Finally, and arguably most importantly, this new bill provides policies and procedures for protecting and even disposing of personally identifiable information of individuals for both private entities and governmental entities. In the newly amended section 6-1-713 of the Colorado Revised Statutes, subsection (1) now provides that covered entities in Colorado that keep paper or electronic documents containing personally identifiable information must develop a written policy for the destruction and correct disposal of those documents. Focusing on private entities, any business covered by the act that maintains, owns or licenses personal information, including those that use a third party as a service provider, must implement reasonable security practices to protect any of the personally identifiable information. These security practices should be congruent to the nature and size of the entity’s operations. Moreover, unless the covered entity agrees to provide its own security protection for the information it provides to a third party, the entity must instead require the third party service provider to maintain reasonable security practices. The information covered by this provision differs from the notification requirement. The protection and disposal requirement covers: social security numbers; official driver’s license or identification card; personal identification number; passwords or passcodes; passport number; biometric data; employer, student, or military identification number; or financial transaction devices.