Colorado Governor John Hickenlooper has signed into law two bills implementing enhanced protections and obligations for entities handling student personally identifiable information and increasing state resources dedicated to cybersecurity. The legislation comes a few months after the Governor announced that Colorado Springs would be the home of a National Cybersecurity Intelligence Center and demonstrates Colorado’s continued commitment to privacy and data security.

The Student Data Transparency and Security Act is meant to enhance existing student data privacy protections. In fact, this Act has been described as one of the country's toughest student privacy laws. It implements a new definition of Student Personally Identifiable Information (SPII), defined as "information that, alone or in combination, personally identifies an individual student or the student's parent or family, and that is collected, maintained, generated, or inferred by a public education entity, either directly or through a school service, or by a school service contract provider or school service on demand provider."

Among other things, the bill requires any entity—other than a public entity or institution of higher education—that enters into a formal contract with the Colorado Department of Education, a local education provider, state charter school, or public school to identify what SPII it collects, the learning purpose for that collection, and how the entity uses or shares SPII. It also requires entities to notify the educational institution with which it is contracting if the entity discovers misuse or unauthorized release of SPII or makes any change to its privacy policy.

Entities receiving SPII are also prohibited from collecting, using, or sharing the information unless authorized by contract or with the consent of the student or student’s parents. Unless an exception applies, entities receiving SPII are specifically forbidden from selling it, using or sharing it for purposes of targeted advertising to students, or using it to create a personal profile of a student other than for purposes authorized by the contracting public education entity or with the student or student’s parent's consent.

Entities also must maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of SPII. The information security program is required to use appropriate administrative, technological, and physical safeguards. Entities are required to destroy, not delete, personally identifiable information, unless otherwise authorized.

Additionally, the bill creates obligations for on-demand providers, which it defines as an entity, other than a public education entity, that provides a school service on occasion to a public education entity, subject to agreement by the public education entity or an employee of the public education entity.

The Colorado Cybersecurity Initiative's legislative declaration states that "cyber threats have continued to grow in significance, scale and scope, and sophistication in the past several years." Cybersecurity is identified as "a top priority" due to the "dramatic increase in the number of cyberattacks . . . coupled with the inadequate resources to respond" to them.

The bill addresses the lack of resources in three ways:

  • It establishes the Colorado Cybersecurity Council in the Department of Safety to operate as a steering group to develop cybersecurity policy guidance for the Governor, create a comprehensive set of goals, requirements, initiatives and milestones, and to coordinate with the General Assembly and judicial branch regarding cybersecurity. The Cybersecurity Council will be comprised of various officials, including representatives from the Governor’s Office, Department of Public Safety, Colorado National Guard, and the Attorney General’s Office.

  • The Cybersecurity Initiative empowers the Department of Public Safety to coordinate with various agencies, including the Division of Homeland Security and Emergency Management, Colorado Bureau of Investigation, and Federal Bureau of Investigation to define operational requirements for in-state and interstate operational and training requirements.

  • The bill authorizes the University of Colorado at Colorado Springs to partner with other institutions of higher education and nonprofit organizations to establish and expand educational programs focusing on cybersecurity. The University is also authorized to partner with nonprofit organizations to establish a secure environment for research and development, initial operational testing and evaluation, and expedited contracting for production for industrial cyber products and techniques.

Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our cross-disciplinary team of attorneys helps clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance and litigation risk.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.