New Colorado requirements in event of data breach

New laws protecting consumers in the event of a data breach take effect September 1 in Colorado.  The law expands notification requirements in the event of a breach and also adds new requirements for organizations and businesses to implement safeguards to protect the security and privacy of personal information. The following is a summary of the new requirements that will affect businesses:

Protection and disposal of data: procedures now required

 Businesses must implement “reasonable safeguards” to protect personal identifying information, or PII (defined as a Colorado resident’s first name or first initial and last name, in combination with any of the following unencrypted data:  social security number; passport, military, or student identification number; driver’s license or state identification card number; medical information or health insurance identification number; or biometric data).

Under the new law, businesses maintaining or licensing PII must have procedures and practices in place to protect that PII.  It must also require any third parties to which it discloses PII to have similar procedures to protect that information.  It must also have a written policy for the destruction and disposal of such information, whether it is maintained electronically or in paper form.  The statute provides that these measures must be “reasonable” and “appropriate” to the nature of the PII and to the nature and size of the business and its operations, although it does not define these terms.  This is, however, a significant change in Colorado’s laws regarding protection of personal data, and any business that collects, maintains, and uses data meeting the definition of PII will have to comply.

Additional breach notification requirements

Like most other states, Colorado already has a law requiring businesses that collect and maintain customers’ personal data to notify those customers in the event of a breach.  The new law expands the type of information covered, to include:

• The categories of PII listed above, if that information is not encrypted, redacted, or secured by some other means that renders the name or other data unreadable or unusable
• A Colorado resident’s username or email address, in combination with a password or security questions and answers that would allow someone access to the resident’s account
• A Colorado resident’s account number or credit/debit card number, in combination with any required code or password giving access to the account

Other changes in the notification law require a business to notify the state Attorney General within 30 days of discovering the breach, if it determines that the data of 500 or more Colorado residents has been affected by the breach. This is a much shorter period of time in which to report than almost any other state.  In addition, if the data of more than 1,000 Colorado residents has been affected, the business must also notify consumer reporting agencies “in the most expedient time possible and without unreasonable delay.”

Often, an organization may not learn of a breach for months after it has occurred, but once it does learn of the breach, all of the notification requirements, including notifying the affected customers, will apply.  It is also important to remember that if a business has customers in other states, the data breach notifications of the states where those customers reside will govern how they must be notified, which can make the process much more complicated and expensive. It is, however, important to comply with breach notification requirements in the event of a breach, to avoid significant fines and potential litigation.

If you have any questions about the new data breach notification, or data and privacy issues in general, please contact Mark Spitz at Spitz Legal Counsel, at 720-575-0440 or by email at mark@spitzlegalcounsel.com.