Colorado Amends Data Breach Notification Statute
On May 29, 2018, Colorado Governor John Hickenlooper signed House Bill (“HB”) 1128 into law, amending the State’s data breach notification statute and imposing significant new requirements on entities that must notify Colorado residents of a data incident pursuant to Colo. Rev. Stat. § 6-1-716. Among its provisions, HB 1128 expands the law’s definition of “personal information,” adds content requirements and a 30-day time limit for consumer notification, and requires entities to notify the Colorado Attorney General of any breach affecting more than 500 Colorado residents. Previously, entities were not required to notify the Colorado Attorney General regarding a breach of any size.
HB 1128, which goes into effect on September 1, 2018, reshapes Colorado’s data breach notification statute as follows:
- Expands Definition of “Personal Information”: Colorado’s statute currently defines personal information as an individual’s first name or first initial and last name, plus one or more of the following:
- Social Security Number;
- Driver’s license or identification card number;
- Account number or credit/debit card number, in combination with any required security code, access code, or password that would permit access to the account.
- HB 1128 will expand the definition of “personal information” to include an individual’s first name or first initial and last name, plus one or more of the following:
- student, military, or passport identification number;
- medical information;
- health insurance identification number; or
- biometric data.
- HB 1128 will also expand the definition of “personal information” to include the following data sets, even when not linked with a Colorado resident’s name:
- a username or email address, combined with the password or security question and answers that provides access to the account; or
- a resident’s account number, or credit or debit card number, combined with any security code, access code, or password that permits access to the account.
- Requires Protection of Personal Information: HB 1128 requires covered entities to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information maintained and the nature and size of the business/operation.
- Strikes In-State Business Nexus Requirement: Under the current Colorado data breach notification statute, an entity that conducts business in Colorado and owns or licenses electronic data containing Colorado residents’ personal information must notify affected residents of a breach. HB 1128 eliminates this requirement, applying the Colorado data breach notification statute to entities that may have no business relationship with Colorado but that otherwise maintain, own, or license personal information belonging to one or more Colorado residents.
- Imposes 30-day Time Limit for Notification: Beginning September 1, an entity subject to the Colorado data breach notification statute must notify consumers within 30 days after determining that a breach may have occurred.
- Adds Notification Content Requirements: Currently, Colorado’s breach notification statute does not require consumer notification to contain any particular information regarding a data incident. Once HB 1128 goes into effect, consumer notification must include the following:
- The date or estimated date(s) of the breach;
- A description of the personal information acquired or reasonably believed to have been acquired;
- The entity’s contact information for residents to inquire about the breach;
- The toll-free numbers, addresses, and websites of the nationwide consumer reporting agencies (CRAs);
- The toll-free number, address, and website of the Federal Trade Commission (FTC); and
- A statement that residents can obtain information about fraud alerts and security freezes from the FTC and the CRAs.
- Requires Specific Notice for Breaches Affecting Usernames and Email Accounts: Once HB 1128 takes effect, covered entities will be required to direct residents whose usernames and/or email addresses and access credentials were affected and are reasonably likely to be misused to promptly change their passwords and security questions / answers, or to take other steps to protect their relevant online accounts.
- Imposes Regulatory Notifications: Once HP 1128 takes effect, if a breach affects 500 or more Colorado residents, a covered entity will also be required to provide notice to the state’s Attorney General within 30 days.
Businesses and other organizations outside The Centennial State should assess whether their practices will soon fall under the Colorado breach notification statute’s revised scope before the amendments go into effect. Moreover, entities covered by Colo. Rev. Stat. § 6-1-716 will need to revisit their breach notification policies and procedures, and their general information security policies and procedures, to ensure they will be ready to comply with the host of new requirements mandated by HB 1128 before September 1. Entities should consult with experienced counsel well-versed in the different data breach notification standards across the 50 states and territories, as well as in incident and breach response preparedness, to ensure their breach policies and procedures are in line with Colorado’s changing breach notification requirements.