Colorado Privacy & Cybersecurity Handbook
September 2018 Update
Effective September 1, 2018, Colorado amended its data breach notification law and implemented new data security requirements for entities doing business in the state. Those changes impact the discussion in Chapter 1 (Colorado's Breach Notification Statute) and Chapter 2.02 (State Information Security Requirements) of the Handbook. For an analysis of the revised law, readers should refer to the article available here.
Over the last few years, states have taken the lead in enacting privacy and cybersecurity laws and regulations. Colorado is no exception. In just the past year, Colorado enacted privacy and cybersecurity legislation covering the use of student personally identifiable information, authorized the use of self-driving vehicles in the state, and the Colorado Division of Securities promulgated cybersecurity rules applicable to broker-dealers and investment advisers. Those laws and regulations augment existing privacy and cybersecurity laws such as Colorado’s breach notification statute, computer crime statute, and consumer privacy protection laws.
Any entity operating in Colorado should understand and comply with these laws and regulations to the extent that they apply to its operations. What complicates this task, however, is that the laws are spread across many different statutes and regulations, so being able to identify them requires a herculean effort. To address this challenge, this handbook summarizes Colorado’s privacy and cybersecurity statutes, regulations, and relevant case law. It is intended to provide attorneys, privacy officers, lawmakers, and decision-makers with a single reference to the many different sources that make up Colorado privacy and cybersecurity law.