06/05/2018
On May 29, 2018, Colorado passed House Bill 18-1128, which requires "covered entities" to comply with new rules regarding the security and disposal of "personal identifying information" (PII). The new law also provides an expanded definition of "personal information" and more stringent notification standards in the event of a security breach involving personal information.
If your business maintains, owns or licenses personal information of Colorado residents, you need to comply. Keep in mind that personal information is broadly defined to include first initial and last name in combination with unencrypted identification numbers (SSN, passport number, driver's license, etc). It also includes an email address combined with a password or security questions and answers and account or debit/credit card numbers combined with access codes or passwords.
A summary and text of the law are available here.
Below are the detailed definitions and requirements:
Covered Entity is a person that maintains, owns, or licenses personal information in the course of their business, vocation or occupation. Covered entity does not include a "third-party service provider."
Personal Information means:
Personal information, however, does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
Personal Identifying Information means a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver's license or identification card number; a government passport number; biometric data; an employer, student or military identification number; or a financial transaction device.
Third-Party Service Provider means an entity that has been contracted to maintain, store or process PII on behalf of a covered entity.
The new rules impose the following obligations:
The notice must include the following information: date (or estimated date or date range) of the breach; description of the PII involved; contact information for the covered entity, consumer reporting agencies, and the Federal Trade Commission (FTC); and a statement that the resident can obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes.
In the event the covered entity determines that the PII has been misused or is reasonably likely to be misused, the covered entity must also direct the affected persons to change their password and security questions, or take other steps appropriate to protect their affected online account(s).
A covered entity must also notify the Colorado Attorney General’s office in the most expedient time possible and without unreasonably delay, but not later than 30 days after the date of determination that a security breach occurred, of any breach reasonably believed to affect 500 or more Colorado residents, and must notify credit reporting agencies if it is required to give notice to more than 1,000 Colorado residents.
A covered entity that maintains its own notification procedures as part of an information security policy for the treatment of PII and whose procedures are otherwise consistent with the timing requirements of the new notification laws is deemed in compliance with the notice requirements when it notifies affected residents in accordance with its policies. In addition, regulated covered entities that maintain security breach procedures pursuant to their regulator’s laws, rules, regulations and guidelines are deemed in compliance with the new notification provisions.
If your company maintains PII or Personal Identifying Information of Colorado residents in the course of your business, we recommend that you implement a security policy and procedures, which include provisions for document disposal, third-party service provider controls, and breach notification consistent with the new law.
For more information on Colorado's new privacy and cybersecurity legislation, please contact Steve Cosentino, Karen Garrett, Donna Gonzales, Lawrence Lee, Selena Samale or the Stinson Leonard street contact with whom you regularly work.