Colorado Amends Law to Strengthen Data Privacy Protections (CO Clients Only)

In the fall of 2018, Colorado enacted a law that aims to strengthen the data privacy protections it provides to its residents. Broadly speaking, the new law expands the protections afforded under state law by making the state’s data breach notification requirements more rigorous, imposing more stringent data security requirements for Colorado businesses and their third-party vendors, and broadening the scope of the entities and the information to which the law applies. Below is a more detailed summary of the changes to this law and the new obligations it imposes on those doing business in Colorado.

Important Definitions

In order to understand the scope of this law, it is important to have a grasp of its significant defined terms:

  1. Covered Entity (“CE”): a person that maintains, owns, or licenses personal information (in the context of breach notification requirements), or personal identifying information (in the context of protection or disposal) in the course of the person’s business, vocation, or occupation.
  • Third-party service provider (“TPSP”): an entity that has been contracted to maintain, store, or transmit personal information on behalf of a CE.
  • Personal Identifying Information (“PII”): a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification member; or a financial transaction device.
  • Personal Information (“PI”): more broadly defined than PII, PI means a Colorado resident’s first name or initial and last name in combination with one or more of the following:
  • Social Security number
  • Student, military, or passport identification number
  • Driver’s license number or identification number
  • Medical information
  • Health insurance identification number
  • Biometric data

PI also includes a Colorado resident’s username or email address in combination with a password or security questions and answers that would permit access to an online account, as well as an account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.

New Obligations of Entities Conducting Business in Colorado

The former version of Colorado’s law applied only to persons or entities that conducted business within the state. In its revised form, the law now applies to any business that maintains the PI of a Colorado resident, regardless of whether it otherwise conducts business in the state. Additionally, the revised law obligates businesses to honor a significantly shorter breach notification deadline for a much broader range of data, and imposes breach notification form and content requirements based on the type of security breach and information that has been compromised. Finally, CEs are newly required to notify: (i) the Colorado Attorney General of security breaches involving more than 500 Colorado residents; and (ii) all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of security breaches involving more than 1,000 Colorado residents.  

Key Components of the New Law

  1. Disposal of PII: CEs that maintain PII are required to develop a written policy for the appropriate disposal of those data when such data are no longer needed by the CE, regardless of whether the data are in paper or electronic form. CEs may properly dispose of PII by shredding, erasing, or otherwise modifying the PII it holds.
  • Protection of PII: CEs that maintain, own, or license the PII of a Colorado resident are required to protect such PII from unauthorized access, use, modification, disclosure, or destruction by implementing reasonable security strategies that are suitable both to the nature and size of the CE, as well as to the type of PII involved.
  • CEs must also require their TPSPs to implement comparable strategies to protect the PII they handle on behalf of the CE, unless the CE has agreed to assume responsibility for the TPSP.
  • Importantly, a disclosure of PII does not include a CE sharing information with a third party when the CE maintains primary responsibility for implementing reasonable security strategies and technical controls to (i) protect PII from unauthorized access, use, modification, disclosure, or destruction, and (ii) effectively eliminate the third party’s access to the PII.
  • Breach Notification: A CE that maintains, owns, or licenses computerized data that includes PI about a resident of Colorado must:
  • Conduct a good faith, prompt investigation to determine the likelihood that PI has been or will be misused;
  • Give notice to the affected Colorado residents unless the CE’s investigation determines that the misuse of a Colorado resident’s information has not occurred and is not reasonably likely to occur; and
  • Give notice as soon as possible and without unreasonable delay within thirty (30) days after the date of determination that a security breach occurred, which must adhere to include specific content and form requirements.

Next Steps for Effected Businesses

            Colorado businesses, and businesses that handle the PI of Colorado residents, should take the following steps in order to fully comply with the new law.

  • Determine the extent to which the business handles the PI and/or PII of Colorado residents;
  • Develop and implement written security strategies to protect PII from unauthorized access, use, and disclosure;
  • Develop or amend their policies and procedures for investigating potential security breaches and for reporting identified security breaches in a timely manner;
  • Ensure workforce members are aware of, and adhere to, new or revised policies and procedures; and
  • Update agreements with third parties to ensure compliance with their new security policies and procedures.

***

Please do not hesitate to contact Steve Johnson, Esq. (sjohnson@kozakgayer.com), Mike Burian, Esq. (mburian@kozakgayer.com), or Taylor Fawns, Esq. (tfawns@kozakgayer.com), at (207) 621-4390 if you have questions regarding this new law, or if you would like our assistance in reviewing and updating your policies and procedures to ensure that they are in alignment with the requirements of this new law.