August 11, 2020

Volume X, Number 224

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

Colorado Enacts Stringent Data Breach Notification Law

Colorado’s governor recently signed into law an update to the state’s breach notice law.  As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username or email address (in combination with passwords or security questions). The law now calls for companies to conduct investigations when they become aware that a breach may have occurred (rather than when they become aware of a breach). Also modified is the window that companies have to provide notice, joining Florida in requiring notice within 30 days (as compared to the current “without unreasonable delay”).

The law will also join a handful of others (including California, Florida and Illinois) in requiring specific content in notices to impacted individuals. This includes the date or date range of the breach, type of information impacted, and contact information for the company, FTC, and credit reporting agencies. For breaches that impact usernames and passwords, companies will also need to tell people to change their passwords and as appropriate to take other steps to protect their account. Notice to the state Attorney General will be required if more than 500 residents are affected. If more than 1,000 residents are impacted then the company also needs to notify credit reporting agencies.

Putting It Into Practice: Companies updating their nationwide incident response plans should take into account Colorado’s 30 day timing requirement, notice content requirements, and AG notification requirement (if more than 500 residents are impacted).

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VIII, Number 178


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...