by Tanya Seda, Chief Strategy Officer, Network Control
A new and demanding data privacy law took effect in Colorado this September , and we have been intently watching to see if there have been any efforts to modify the law. Fortunately, , no new developments have occurred that the enterprise would have to be aware of at this point in time.
To refresh readers’ memories, the original house bill is designed to provide individuals with enhanced data protection rights. Colorado HB18-1128, known as Protections for Consumer Data Privacy, extends protection requirements to third parties that process or hold information on behalf of others.
Below is an outline about the new law and risk implications:
HB18-1128’s most notable change is to Colorado’s breach notification requirements. Under existing state law, businesses must notify persons affected by a data breach “in the most expedient time possible and without unreasonable delay.” Under HB18-1128, covered entities must now notify affected persons within 30 days of confirmation of a data breach. This is much more specific, and it’s worth noting that this is the smallest window in the country.
The new law also requires businesses to notify Colorado’s attorney general when a breach affects 500 or more persons, and consumer reporting agencies when a breach affects 1,000 or more.
This law applies to all businesses, from one-person operations to multi-national corporations.
- Businesses and agencies must have a written policy explaining how they will dispose of the personal information they keep and follow through on those procedures.
- If a data breach is detected, entities must alert consumers that their data has been compromised within 30 days. If more than 500 Coloradans are impacted, the entity must alert the attorney general’s office.
- Entities must take “reasonable” steps to protect the personal information they keep.
Pay attention to third parties that maintain, store, or process data on behalf of covered entities also fall under the law. It does not matter if you have a physical presence in Colorado or not-even those without a physical presence in the state.
HB18-1128 also expands the definition of “personal information.” Under Colorado’s existing law, personal information includes social security numbers; driver’s license or other state identification numbers; and account, credit card, or debit card numbers in combination with security codes, access codes, or passwords. Under the new law, personal information also includes:
- Student, military, or passport identification number.
- Medical information.
- Health insurance identification numbers.
- Biometric data.
- Usernames and emails in combination with passwords or security questions and answers.
Enterprises that do business in Colorado should review their existing programs to ensure the new privacy practices are enact. It might mean looking at the current policies and consider reevaluating overall policy and sub-policy limits.
One last area of concern, is that businesses that could be affected by the law need to review information security policies, procedures and third-party service contracts. Look for areas with specific provisions related to data protection. If third parties process or maintain data for you make sure their policies are in line with the new house bill.