Overview of Colorado’s Data Security Laws
What are Colorado’s data security laws?
There are three primary components to Colorado’s data security laws.
- Colorado requires certain persons and entities that maintain personal identifying information (PII) in paper or electronic form to establish written policies governing the disposal of PII.
- Colorado law requires certain persons and entities to take reasonable steps to protect PII.
- The law requires notification of security breaches affecting personal information (PI), which includes detailed notice to Colorado residents and, in certain circumstances, notice to the Attorney General.
Who is impacted by the changes to Colorado’s consumer data security laws?
Any person, commercial entity, or governmental entity that maintains, owns, or licenses PII or PI of Colorado residents in the course of its business, vocation, or occupation.
What is PII?
PII includes social security numbers; personal identification numbers; passwords; pass codes; official state or government-issued driver’s license or identification card numbers; government passport numbers; biometric data; employer, student, or military identification numbers; and financial transaction devices, including financial account numbers.
What is PI?
PI includes a Colorado resident’s first name or first initial and last name in combination with any of the following, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:
- Social Security number;
- Driver’s license number or identification card number;
- Student, military, or passport identification number;
- Medical information;
- Health insurance identification number; or
- Biometric data (e.g., fingerprints, iris recognition, retinal scans) used to authenticate an individual when they access an online account.
PI also includes:
- A Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; and
- A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
PI does not include information that is lawfully made available to the general public from government records or widely distributed media.
Disposal of Personal Identifying Information
What does the law say about disposal of PII?
If you maintain PII, in paper or electronic form, you are required to develop a written policy to ensure that the PII is destroyed or properly disposed of when it is no longer needed. Private persons and entities should refer to C.R.S. § 6-1-713. Governmental entities should refer to C.R.S. § 24-73-101.
I am regulated by state or federal law, and my regulator sets its own requirements for disposal of PII. Is it sufficient to follow those laws and regulations?
Yes. If you maintain procedures for disposal of PII pursuant to the laws, rules, regulations, guidances, or guidelines established by your state or federal regulator, you are in compliance with Colorado’s law governing disposal of PII.
Protection of Personal Identifying Information
What steps does the law require me to take to protect PII that I maintain, own, or license in the course of my business?
You are required to implement and maintain reasonable security procedures and practices to protect PII, taking into account the nature and size of your business and the type of PII you collect. See C.R.S. § 6-1-713.5 if you are a person or commercial entity, C.R.S. § 24-73-102 if you are a governmental entity.
I am regulated by state or federal law, and my regulator sets its own requirements for protection of PII. Is it sufficient to follow those laws and regulations?
Yes. If you maintain procedures for the protection of PII pursuant to the laws, rules, regulations, guidances, or guidelines established by your state or federal regulator, you are in compliance with Colorado’s law governing the protection of PII.
What obligations do I have if a third-party service provider maintains, stores, or processes PII on my behalf?
Unless you agree to provide your own security protection for any PII you disclose to a third-party service provider, you must require the third-party service provider to implement and maintain reasonable security procedures and practices that are appropriate to the kind of PII you disclose, and are reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction.
Security Breach Notification
I am a person, commercial entity, or governmental entity that collects PI. Do I need to familiarize myself with Colorado’s security breach notification laws?
Yes. Persons, commercial entities, and governmental entities that collect or maintain PI should be familiar with Colorado’s security breach notification laws. See C.R.S. § 6-1-716 if you are a person or commercial entity; see C.R.S. § 24-73-103 if you are a governmental entity.
What is a security breach?
A security breach is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PI maintained by a person, commercial entity, or governmental entity.
For example, a security breach can occur when:
- An employee clicks on a link or opens an email attachment that contains malware;
- An employee provides their password or other sensitive information to an unauthorized person;
- Your entity is the victim of a ransomware attack (which is sometimes accompanied by malware that steals data);
- Unencrypted PI is sent through a payment system;
- A briefcase containing client files is stolen or misplaced; or
- A mobile device or data storage device containing personal information is stolen or misplaced.
Under what circumstances do I have to notify Colorado residents of a security breach?
If you become aware that a security breach may have occurred, you must conduct a prompt, good-faith investigation to determine the likelihood that PI has been or will be misused. You must provide notice to the affected Colorado residents, unless the investigation determines that the information has not been misused and is not reasonably likely to be misused.
How long do I have to provide notice to the affected Colorado residents?
You must provide notice in the most expedient time possible, without unreasonable delay, and within 30 days after the date of determination that a security breach has occurred. Notice may be delayed consistent with the legitimate needs of law enforcement, or consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
Other than the affected Colorado residents, am I required to notify anyone else?
- If the security breach is reasonably believed to have affected 500 or more Colorado residents, you must provide notice to the Colorado Attorney General. You must provide this notice in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that a security breach occurred.
- Notice to the Colorado Attorney General should be sent to firstname.lastname@example.org.
- If the security breach is reasonably believed to have affected more than 1,000 Colorado residents, you must notify the consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. You must notify these agencies of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. You must provide this notice in the most expedient time possible and without unreasonable delay.
- If sensitive information relating to residents of other states was compromised, you should review the applicable state law for notice requirements.
How must the notice to Colorado residents be provided?
Notice must be provided by:
- Written notice to the Colorado resident’s postal address listed in your records,
- Telephonic notice, or
- Electronic notice, if you use electronic means as a primary method of communicating with the Colorado resident, or if you provide notice consistent with the provisions regarding electronic records and signatures set forth in the federal “Electronic Signatures in Global and National Commerce Act,” 15 U.S.C. sec. 7001 et seq.
Is there any exception to the requirement to provide notice in this manner?
Yes, you may provide substitute notice if:
- The cost of providing notice will exceed $250,000;
- The number of Colorado residents to be notified exceeds 250,000; or
- You do not have sufficient contact information to provide notice.
What are the requirements for substitute notice?
Substitute notice must be provided by:
- E-mail, if you have email addresses for the affected Colorado residents;
- Conspicuous posting of the notice on your website; and
- Notification to major statewide media.
What information should I include in the notice to Colorado residents?
The notice must include the following:
- The date, estimated date, or estimated date range of the security breach;
- A description of the personal information that was acquired as part of the security breach (or that is reasonably believed to have been acquired);
- Information that a resident can use to contact you to inquire about the security breach;
- A statement that the resident can obtain information from the Federal Trade Commission (FTC) and the credit reporting agencies about fraud alerts and security freezes;
- The toll-free numbers, addresses, and websites for consumer reporting agencies;
- The toll-free number, address, and website for the FTC;
- As of the date of this post, the website for the FTC is: https://www.ftc.gov/.
The security breach included a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account. Are there additional notice requirements?
Yes. In this case, you must also direct the affected Colorado residents to take steps to protect their accounts that may be accessed with the compromised credentials, i.e., instruct them to change their user password and/or security questions and answers.
My entity is regulated by state or federal law (e.g., the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA)) and maintains procedures for security breaches in compliance with those laws and regulations. Is it sufficient to comply with those laws and regulations?
For the most part, yes. However:
- If the security breach is reasonably believed to have affected 500 or more Colorado residents, you are still required to provide notice to the Colorado Attorney General at email@example.com; and
- If the applicable laws set forth different timeframes for the notification to Colorado residents, the law with the shorter timeframe applies. For example, while HIPAA, in some circumstances, permits notification within a period of up to 60 days, you must provide notice in compliance with Colorado’s 30-day timeframe.
What do I have to provide in my notice to the Colorado Attorney General?
Provide the following in your notice to the Attorney General:
- The name of your organization and a primary contact who can be reached for further information;
- The date you learned there may have been a security breach;
- The date you determined that a security breach occurred;
- The date that you provided notice to impacted Colorado residents;
- The number of Colorado residents impacted by the breach;
- Total number of individuals impacted by the breach; and
- A copy of the notice you provided to Colorado residents.
DO NOT provide the Attorney General with the sensitive information that was breached. If the Office requires additional information, someone will contact you.