Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country. The new law—which becomes effective on September 1, 2018—was spearheaded by the Colorado Attorney General's office, which is charged with enforcing its requirements. As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.
Ballard Spahr attorneys David Stauss and Gregory Szewczyk will host a webinar on Monday, June 4, 2018, at 12 PM PT/1 PM MT/3 PM ET to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance. Messrs. Stauss and Szewczyk are uniquely situated to discuss the new law, having assisted in developing the legislation, including Mr. Stauss testifying on the bill in front of the House Committee on State, Veterans, & Military Affairs. Click here for more information and to register.
The most notable provisions of the new law are as follows:
Data Security Requirements
For the first time, covered entities that maintain, own, or license "personal identifying information" (PII) of a Colorado resident are required to implement and maintain reasonable security procedures and practices that are "appropriate to the nature of the personal identifying information and the nature and size of the business and its operations."
The law defines PII broadly to include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device (as defined in C.R.S. § 18-5-701(3)).
Covered entities also must take measures to protect PII when transferring it to third parties. Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity "shall require" the third-party service provider to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII disclosed and reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction. A "third-party service provider" is defined as an entity that "has been contracted to maintain, store, or process personal information on behalf of a covered entity."
The law also requires covered entities that maintain electronic or paper documents that contain PII to develop a written policy for the destruction of such documents when they are no longer needed.
The Attorney General’s office is authorized to enforce these new requirements and may bring an action in law or equity to ensure compliance or recover direct economic damages resulting from a violation.
As a consequence of these new requirements, covered entities should consider developing and implementing written information security programs that include appropriate administrative, technical and physical safeguards for the types of PII that they maintain, own or license.
Changes to Colorado's Breach Notification Law
The new law strengthens and expands Colorado’s data breach notification law. Perhaps the most significant change is that covered entities now must notify affected individuals within 30 days after determining that a security breach occurred that resulted in, or is likely to result in, misuse of personal information. Colorado’s 30-day deadline is the shortest of any state. Florida also has a 30-day deadline but allows for an additional 15 days under certain circumstances.
The new law drastically expands the types of information that will trigger a breach notification obligation if compromised. Specifically, the law defines "personal information" to mean a Colorado resident’s first name or first initial and last name in combination with any of the following data elements: social security number; student, military or passport identification number; driver's license number or identification card number; medical information; health insurance identification number; or biometric data. The definition also includes a Colorado resident’s username or e-mail address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident's account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account. However, a covered entity does not need to provide notice if the information was encrypted unless the encryption key also was compromised.
Importantly, the law does not create exemptions for entities subject to reporting requirements under the Gramm-Leach-Bliley Act or HIPAA. Rather, if there is a conflict between the 30-day time period for providing notice under Colorado law and a time period in another federal or state law, the law with the shortest time frame for providing notice controls.
The law also specifies what type of information must be included in the notice, such as a description of the PII involved in the breach, the date or estimated date of the breach, and contact information for the Federal Trade Commission and credit reporting agencies. If the breach involves the compromise of login information, a covered entity also is required to notify individuals to change their login information for that account and any other account that uses the same login information.
A covered entity must notify the Colorado Attorney General's office if it provides notice to 500 or more Colorado residents, and it must notify credit reporting agencies if it is provides notice to more than 1,000 residents.
If a third-party servicer provider experiences a data breach, it must notify the covered entity "in the most expedient time possible, and without unreasonable delay."
As with the new data security requirements, the Attorney General's office is charged with enforcing violations of the notification requirements. However, a covered entity that maintains its own notification procedures as part of an information security policy that is consistent with the new law is in compliance with the law’s requirements if the covered entity follows those procedures. Therefore, to ensure compliance, covered entities should consider developing and implementing incident response plans that are consistent with the new law.
Finally, the law adds new provisions that create similar obligations for government entities.
Members of Ballard Spahr's Privacy and Data Security Group provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors and help clients around the world identify, manage, and mitigate cyber risk. Our team of nearly 50 lawyers across the country includes investigators and advocates with deep experience in cyber-related internal and governmental investigations, regulatory compliance and enforcement matters, cyber-related crisis management, and civil and criminal litigation.
Copyright © 2018 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.