August 14, 2020

Volume X, Number 227

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

August 11, 2020

Subscribe to Latest Legal News and Analysis

Colorado Passes Far Reaching New Privacy and Cybersecurity Law

Recently, a new bill was signed by Colorado Governor John Hickenlooper, creating far reaching new requirements for entities that collect or maintain personal identifying information of Colorado residents.  These requirements, which will create one of the strictest state based privacy and data breach laws in the country, will go into effect September 1, 2018.  The Colorado Attorney General’s office led part of the effort to pass the new law, making enforcement a likely priority.

The new law requires organizations to maintain a policy for disposing documents with consumer data and notify Colorado residents of any potential personal information exposure no later than 30 days after discovering a data breach. The 30-day notification window does not provide for any specific exemptions (such as HIPAA) and is the shortest of any U.S. state.

A. Who does the new Colorado law apply to?

The new law will apply to any “Covered Entity” which is an entity that “maintains, owns, or licenses personal identifying information” of a Colorado resident in the course of business.

B. What constitutes personal identifying information?

The definition of personal identifying information is broad, and can include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device (as defined in C.R.S. § 18-5-701(3)).

C. What measures are Covered Entities required to implement?

  1. Reasonable Security Procedures and Practices: Covered Entities must themselves “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”

  2. Flow Down Security Requirements to Third Party Service Providers: Additionally, Covered Entities must also require any third party service providers with access to personally identifying information provided by the Covered Entity to also take measures that are “appropriate to the nature of the personal identifying information disclosed” and “reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.” Covered entities may also provide security for the transferred information themselves, although this will likely be the exception.

  3. Disposal Requirements for Personal Identifying Information: Covered entities that “maintain[] paper or electronic documents during the course of business that contain personal identifying information” will now be required to develop a written policy for the destruction or disposal of such information once such documents are “no longer needed.”

 D. How have the Data Breach notification requirements changed?

  1. Personal Information now includes more categories: Colorado’s existing law covered personal information of Colorado residents. The new law adds new categories to what would constitute personal information.  These new categories are: student, military, or passport identification number; (2) medical information; (3) health insurance identification number; (4) biometric data; and (5) a username or email address, in combination with a password or security questions and answers, that would permit access to an online account.

  2. Expanded Notice Letter Requirements: Notice letters must now contain an estimated date or date range for the security breach, describe the personal information at issue, provide a contact method for the covered entity, provide contact information for the Federal Trade Commission and Consumer Reporting Agencies, including information about obtaining information from these agencies, including with regard to fraud alerts and security freezes, and if a username or email address along with a password or security question/answers are at issue, the notice must also direct the person to take appropriate steps, including changing passwords, and answers to their security questions.

  3. Attorney General Must Be Notified if Breach Affects Over 500 Colorado Residents: This is likely to lead to additional interest in security breaches from the Colorado Attorney General’s office.

Tightening timeframes and expanding definitions of covered personal information require U.S. companies to more closely examine data breach response plans and prepare to investigate quickly and efficiently to comply with state reporting requirements.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VIII, Number 157

TRENDING LEGAL ANALYSIS


About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Brian H. Lam, Mintz Levin, software licensing lawyer, vendor agreements attorney
Associate

Brian Lam is a member of Mintz’s Privacy & Security Practice and Technology Transactions Practice. Brian focuses his practice on providing practical advice that enables companies to pursue their business in a competitive environment while reducing risk associated with the collection, use, storage, transfer, and potential loss of data. He frequently negotiates complex data-centric information technology agreements, and designs policies and corresponding controls for the implementation of best practices, compliance with state and federal law, and international considerations. He often reviews the data flows within an organization from both a senior leadership perspective as well as at the implementation level, and provides actionable recommendations to engineer such data flows in order to reduce compliance risk and engender consumer trust.

Brian frequently provides advice to clients that wish to buy or sell corporate entities whose business models leverage data and information technology, including data aggregation, analytics, and open source software.

Brian has been designated a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals, and is also a Certified Information Privacy Professional (CIPP) (US Specialization), Certified Information Privacy Manager (CIPM), and a Certified Information Systems Security Professional (CISSP). He has a B.S. in Computer Science and an M.S. in Telecommunications from the University of Colorado at Boulder, College of Engineering and Applied Science.

He is also a member of Governor Brown’s California Cybersecurity Task Force, a statewide partnership comprised of key stakeholders, subject matter experts, and cybersecurity professionals from California's public and private sectors, academia, and law enforcement that serves as an advisory body to the State of California Senior Administration Officials in matters related to cybersecurity.

Before becoming an attorney, Brian worked at one of the country’s leading information security firms, where he focused on analyzing the existing network security controls of financial institutions, online merchants, and government organizations. He also conducted penetration tests, provided guidance on PCI-DSS compliance, and assisted federal law enforcement with digital forensics post security incident. Subsequently, he joined one of the world’s largest management consulting and information services firms, where he led efforts to design and implement large-scale information security initiatives for Fortune 500 companies, including one of the world’s largest banking and consumer credit companies.

858.314.1583