Colorado’s Data Privacy Laws ~ Keeping up with latest amendments

Most businesses update their policies every time there is a change in laws governing health insurance or wages. However, many companies are slow to react to amendments in data privacy laws.

In September last year, Colorado updated the Protections for Consumer Data Privacy Act, which came into effect on May 29, 2018. This latest amendment introduces higher standards for protecting consumers’ personal identifying information (PII) and affects companies of all sizes, across most sectors.

For any readers unfamiliar with what constitutes PII, typical examples include:

  • social security number;

  • ID card number;

  • residential address;

  • government-issued driver’s license

  • passport number;

  • biometric data;

 First and foremost

Any business, irrespective of its size, that collects, stores or processes PII, whether in paper form or digital, is required to take all “reasonable” measures to protect the PII they retain. Businesses have a degree of flexibility in implementing appropriate procedures depending on their resources and context, since there is currently no definition the term “reasonable”. Understandably, this might be cause for some uncertainty for businesses that are seeking clear and concise answers to questions regarding whether they are doing enough under the law.

So, to clarify things, let’s proceed with an overview of the latest changes…

Who is affected by the changes to Colorado’s consumer data privacy laws?

The official answer according to the Colorado Attorney General, is:

“Any person, commercial entity, or governmental entity that maintains, owns, or licenses personal identifying information (“PII”) of Colorado residents in the course of its business, vocation, or occupation.”

How have the laws changed?

The three most significant changes are as follows:

  1. The law that requires disposal of PII now requires written policies governing the disposal of both paper and electronic records that contain PII.

  2. A new law requires covered persons and entities to take reasonable steps to protect PII.

  3. The law that requires notification of data security breaches now requires detailed notice to consumers and, in certain circumstances, notice to the Attorney General.

The above changes came into effect on September 1, 2018.

Now, let’s look at each of these amendments more closely and pre-empt some of the typical questions being asked:

#1 ~ Disposal of Personal Identifying Information

If your company owns or licenses PII, whether in paper or in digital form, you are required to develop and implement a written policy to ensure that the PII is destroyed when it is no longer needed.

What is PII? As already briefly mentioned above, PII includes information such as; social security numbers; personal identification numbers; passwords; pass codes; official state or government-issued driver’s license or identification card numbers; government passport numbers; biometric data; employer, student, or military identification numbers; and financial transaction devices, including financial account numbers.

One of the most frequently-asked questions received is:

  • I am regulated by state or federal law, and my regulator sets its own requirements for disposal of personal identifying information.  Is it enough to follow those laws and regulations?

Answer: Yes. If you maintain procedures for disposal of PII pursuant to the laws, rules, regulations, guidance, or guidelines established by your state or federal regulator, you are complying with Colorado’s law governing disposal of personal identifying information.

#2 ~ Protection of Personal Identifying Information

  • What steps does the law require me to take to protect PII that I maintain, own, or license in the course of my business?

You are required to take reasonable security measures to protect PII, considering the nature and size of your business and the type of PII that you are collecting.  See C.R.S. § 6-1-713.5 if you are a person or commercial entity, C.R.S. § 24-73-102 if you are a governmental entity.

  • I am regulated by state or federal law, and my regulator sets its own requirements for protection of PII.  Is it enough to follow those laws and regulations?

    Answer: Yes. If you maintain procedures for the protection of personal identifying information pursuant to the laws, rules, regulations, guidance, or guidelines established by your state or federal regulator, you are complying with Colorado’s law governing the protection of PII.

I am a third-party service provider that maintains, stores or processes PII for clients.  What are my obligations to protect that PII?

Answer: Unless your client agrees to provide its own security protection for the PII it discloses to you, it must require you to implement and maintain security procedures and practices that are appropriate to the kind of PII your client is disclosing and are reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure or destruction.

#3 ~ Security Breach Notification

  • What is a security breach?

    A security breach is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PII maintained by a person, commercial entity, or governmental entity.

    Examples include:

    • a hacker electronically accessing and acquiring computerized data;

    • unauthorized access of a computer network through weak passwords;

    • unencrypted consumer information sent through a payment system;

    • a briefcase or laptop computer containing client files that is stolen or misplaced; or

    • a mobile device or data storage device containing PII that is stolen or misplaced.

  • I am a person, commercial entity, or governmental entity that collects PII.  Do I need to familiarize myself with the updates to Colorado’s security breach notification laws?

    Answer: Yes. There have been significant changes to the security breach notification requirements.  The new law also imposes security breach notification requirements for governmental entities.

  • What type of breached information does the law cover?

    The law covers breaches of “personal information,” which means a Colorado resident’s first name or first initial and last name in combination with any one of the following:

    • Social Security number

    • Driver’s License number or Identification Card number

    • Student, military, or passport identification number

    • Medical information

    • Health insurance identification number

    • Biometric data (i.e., finger prints, iris recognition, retinal scans)

  • Under what circumstances do I have to notify Colorado residents of a security breach?

    Answer: If you become aware that a security breach may have occurred, you must conduct a prompt, good faith investigation to determine the likelihood that personal information has been or will be misused.  Unless the investigation determines that the information has not been misused and is not reasonably likely to be misused, you must provide notice to the affected Colorado residents.

  • How long do I have to provide notice to the affected Colorado Residents?

    Answer: You must provide notice in the most expedient time possible, without unreasonable delay, and within 30 days after the date of determination that a security breach has occurred.

    You may take longer than 30 days to provide notice if a law enforcement agency has directed you not to send notice, or if longer than 30 days is necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

  •  Other than the affected Colorado residents, am I required to notify anyone else?

    Answer: Yes. If the security breach is reasonably believed to have affected 500 or more Colorado residents, you must provide notice of the security breach to the Colorado Attorney General. 

    You must provide this notice in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that a security breach occurred.  

    If the security breach is reasonably believed to have affected more than 1,000 Colorado residents, you must notify the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.  You must notify these agencies of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified.  You must provide this notice in the most expedient time possible and without unreasonable delay.

    As of the date of this post, the websites of the credit reporting agencies are:

  •  How must the notice to Colorado residents be provided?

    • Notice must be provided by written notice to the Colorado resident’s postal address;

    • Telephonic notice, or

    • Electronic notice

    There are some exceptions to the requirement to provide notices using any of the above methods:

    You may provide substitute notice if:

    • the cost of providing notice will exceed $250,000;

    • the number of Colorado residents to be notified exceeds 250,000; or

    • you do not have enough contact information to provide notice.

  •  What are the requirements for substitute notice?

    Substitute notice must be provided by:

    • E-mail, if you have email addresses for all affected Colorado residents;

    • Conspicuous posting of the notice on your Website; and

    • Notification to major state-wide media

  • What information should I include in the notice to Colorado residents?

    The notice must include the following:

    • The date, estimated date, or estimated date range of the security breach;

    • A description of the personal information that was acquired as part of the security breach (or that is reasonably believed to have been acquired);

    • Information that a resident can use to contact you to inquire about the security breach;

    • A statement that the resident can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes;

    • The toll-free numbers, addresses, and websites for consumer reporting agencies;

 IMPORTANT: You should NOT provide the Attorney General with the PII that was breached. If the office requires additional information, someone will contact your primary contact as described above to request that information.

Our viewpoint

While some may consider these changes in Colorado’s Consumer Data Protection Laws to be a “tall order”, particularly for small businesses, these amendments are vital, in order to protect consumers’ Personal Information.

Stronger data protection can help to reduce occurrences of data breaches, which often lead to identity theft and fraudulent transactions. A data breach can result in punitive fines, legal costs, and reputational damage.

In our connected world, nurturing the trust and confidence of consumers is paramount, if we want to build a strong base of loyal customers. When consumers interests are properly protected, businesses benefit from sales and profits. By strengthening its data protection laws, Colorado is on-track to reducing the kind of data breaches and privacy violations that have resulted in heavy costs for businesses across America.

This article contains an abridged version of content published on the Colorado AG’s website.

Sources and credits: Attorney General - State of Colorado