Back in January, Colorado lawmakers on both sides of the aisle introduced a groundbreaking new bill requiring “reasonable security procedures and practices” for protecting personal identifying information, limiting the time frame to notify affected Colorado residents and the Attorney General of a data breach, and imposing data disposal rules, HB 1128. Now, Colorado Governor John Hickenlooper has signed the bill into law, marking Colorado as a leader in data protection. The new law will take effect September 1, 2018, and has significant implications for certain private and public sector entities in Colorado.

HB 1128 was sponsored by Rep. Cole Wist (R), Rep. Jeff Bridges (D), Senator Kent Lambert (R) and Senator Lois Court (D), and was passed unanimously by the Legislature, signifying the bipartisan understanding that, in today’s climate, data security is a key issue that must be addressed. Nonetheless, the bill was initially met with opposition by large businesses that argued the certain heightened requirements were already obligatory under federal law, and that notification to the Attorney General within 7 days, was too short a timeframe to determine if misuse of data had occurred, which could result in fear over identity theft even when not present. The bill was then given an overhaul, taking into consideration the businesses’ concerns.

Key updates to Colorado’s new law include:

  • Expansion of breach notification requirements.

The bill expands the definition of information that, if breached, would require notification to affected Colorado residents. Under the new law, “personal information” (PI) means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military, or passport identification number; driver’s license number of identification card number; medical information; health insurance identification number; or biometric data. PI also includes a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers that would permit access to an online account. Finally, PI includes a Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account.

In addition, businesses that have to report a data breach affecting Colorado residents will have to notify affected residents and, if more than 500 Colorado residents are affected by the incident, the state’s Attorney General not later than 30 days after the date of determination that a security breach occurred. Currently, this is the shortest time frame of any U.S. state (Florida also has 30-day notification period, but allows an additional 15 days under certain circumstances). Specific content requirements also were added to the state’s existing data breach notification law. Of note, the law does not create exemptions for entities subject to reporting requirements under HIPAA or the Gramm-Leach-Bliley Act, and if a conflict exists between the 30-day notice period and a time period under another state or federal law, the shortest notice period applies.

  • Requirements for reasonable security procedures and data disposal.

The new law adds requirements for businesses to implement reasonable safeguards to protect personal identifying information (PII), as well as to have procedures for disposing of PII that is no longer needed.

More specifically, covered entities in Colorado that maintain paper or electronic documents that contain personal identifying information must to develop and maintain a written policy for the destruction and proper disposal of those documents. Additionally, covered entities that maintain, own, or license personal information, including those that use a nonaffiliated third party as a service provider, shall implement and maintain reasonable security procedures and practices to protect PII that are appropriate to the nature of the PII and the nature and size of the business and its operations. Moreover, unless the covered entity agrees to provide its own security protection for the information it discloses to a third party, the covered entity “shall require” the third party service provider to implement and maintain reasonable security procedures and practices as appropriate. Thus, as required in other states such as Massachusetts and California, businesses need to be reviewing services agreements with their third party vendors to ensure they include appropriate language to meet these requirements.

Note that with respect to the reasonable safeguard and data disposal requirements, PII is defined to include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device. This definition is not the same as the definition of “personal information” or “PI” with respect to the law’s breach notification requirement.

The Attorney General’s office has authority to enforce the new requirements, and may bring an action in law or equity to address violations of the law, and for other relief that may be appropriate to ensure compliance with the law or to recover direct economic damages resulting from the violation, or both.

This is a significant expansion of Colorado’s data breach notification law and the state’s rules for safeguarding personal data. Covered entities are advised to develop and implement practices and procedures appropriate for the PII and PI they own, license, or maintain including administrative, technical and physical safeguards.

For more information on data breach notification law developments, see our recent articles:

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.