Colorado’s new privacy legislation, an Act Concerning Strengthening Protections for Consumer Data Privacy (HB18-1128), joins that of other states — including California and Vermont — in a growing chorus of state laws on consumer privacy. The law, which took effect Sept. 1, 2018, amends the existing data breach law to create additional privacy and security obligations for public and private entities handling personal data. These include data destruction and deletion requirements, enhanced data security requirements and new breach notification provisions.

The law applies to a broad range of public and private “covered entities,” including any one that “maintains, owns, or licenses” personal data in the course of their business or occupation. The amended law adds a new category of personal data called “Personal Information,” while maintaining the existing category, “Personal Identifying Information.” The amended law applies to PII for the purposes of security and destruction and to PI for the purposes of breach and notification requirements.  

PII destruction

Colorado law already required entities to develop a policy for the destruction of documents; however the amended law specifies entities must develop a written policy for the destruction or proper disposal of any paper or electronic documents containing PII. The policy shall require destruction when the documents “are no longer needed” by such means as “shredding, or erasing, or otherwise modifying” the PII in the document so it is “unreadable or indecipherable through any means.”

The law does not define when documents are to be considered “no longer needed.” Accordingly, businesses should build into their document retention and destruction plans guidance on how to determine the ongoing business use for documents they intend to keep. For data destruction purposes only, PII means a Social Security number, personal identification number, password, pass code, official state or government issued driver’s license or identification card number, government passport number, biometric data, an employee, student or military identification number, or a financial transaction device.

New data security and vendor management requirements for PII

Entities that maintain, own, or license the PII of “an individual residing in” Colorado are required to implement and maintain reasonable security procedures and practices appropriate to the nature of the PII and the nature and size of the business and operation.

The law also now requires entities to provide their own security protection when PII is maintained, stored or processed by a third-party service provider, defined as an entity “contracted to maintain, store, or process” PII on the entity’s behalf. If entities are not able to provide their own security protection, they must ensure that the third party has equally effective security measures.

Vendor contracts involving transfer of PII must now, if they involve the PII of Colorado residents, include provisions obliging the vendor to “maintain reasonable security practices that are: (a) appropriate to the nature” of the disclosed PII and “(b) reasonably designed to help protect the [PII] from unauthorized access, use, modification, disclosure, or destruction.” PII is considered not disclosed to a vendor if a covered entity “retains primary responsibility” for the security of the PII, including circumstances where the vendor is storing but lacks access to the PII.

Breach of PI and notification

As explained above, for security breach and notification requirements, only PI is covered by the new law. This means entities do not have an obligation to destroy or delete PI.

Section 6-1-716 defines PI as a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted or secured by any other method rendering the name or the element unreadable or unusable:

• Social Security number.
• Student identification number.
• Military identification number.
• Passport identification number.
• Driver’s license number or identification card number.
• Medical information.
• Health insurance identification number.
• Biometric data.
• Online login credentials.
• Online banking credentials.

PI that is lawfully made available to the general public, whether through government records or widely distributed media, is not personal data. The law does not define when information becomes “widely distributed in the media.” Security breach is defined as the “unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of [PI] maintained by a covered entity.” When a covered entity’s employee or agent “acquires” PI in “good faith,” it is not a breach, provided the PI “is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.”

Breach notification

Following a security breach, an entity must investigate to determine if Colorado residents’ PI “has been or will be misused.” Notice to affected residents is mandatory unless misuse of the information hasn’t happened and isn’t “reasonably likely” to happen. Notice must be given in the most expedient way and without unreasonable delay, but not later than 30 days after confirming a breach. The notice can be via written letter, telephone, email notice if the option is available, or electronic if the resident chose that to be the primary means of communication or the notice provided complies with Electronic Signature in Global and National Commerce Act.

If a breach concerns login credentials for an email account furnished by the entity, the entity must make a notice following the same method or deliver a conspicuous notice online when the person logs in using a recognized IP address or online location. All notices must be sent using the most expedient means or within 30 days. The notice of security breach must include a description of the PI that was acquired or are reasonably believed to have been acquired as part of the security breach, and contact information of the entity and relevant authorities.

If an entity is required to send notice of a security breach to Colorado residents, then the entity is also required to provide notice to the Colorado Attorney General’s Office within 30 days of the breach, provided the security breach is reasonably believed to have affected 500 or more Colorado residents.

Breach notification by vendor

Under the new law, a vendor is not required to notify Colorado residents if a security breach of PI has occurred. Instead, the law requires the vendor to give notice to the covered entity in the most expedient way and cooperate with the covered entity. The law does not state whether the vendor is required to investigate whether PI has been or will be misused. This apparently shifts the burden of investigation to the covered entity to determine whether PI has been or will be misused, even if the breach did not occur at their end.

Enforcement mechanisms

The attorney general can bring an action in law or equity against an entity that has failed to meet the requirements for disposal of PII, failed to reasonably protect PII, or failed to comply with notification and disclosure requirements for PI. The AG also has the authority to bring criminal actions for various cybercrimes under Section 18-5.5-102. If a governmental entity violates one of the law’s provisions, the AG’s only remedy is injunctive relief.

Photo credit: J. Stephen Conn via Flickr