Businesses in Colorado and entities doing business in Colorado will now have to comply with new data security legislation that went into effect on September 1. The new law requires entities to implement and maintain reasonable security measures to protect documents containing personal identifying information of Colorado residents, third-party service providers must implement and maintain security measures to protect documents with personal identifying information of Coloradans, and written policy must be implemented for how to dispose of documents containing Coloradan personal identifying information.

The new legislation broadens the type of information that will trigger a breach notification obligation if data is breached and the law defines "personal identifying information" as a Colorado resident's first name or initial in combination with any of the following: social security number, student, military or passport number, driver's license, and/or biometric data.

Read the full article here. Subscription may be required.