Back in January, Colorado lawmakers on both sides of the aisle introduced a groundbreaking new bill requiring “reasonable security procedures and practices” for protecting personal identifying information, limiting the time frame to notify affected Colorado residents and the Attorney General of a data breach, and imposing data disposal rules, HB 1128. Now, Colorado Governor John Hickenlooper has signed the bill into law, marking Colorado as a leader in data protection. The new law will take effect September 1, 2018, and has significant implications for certain private and public sector entities in Colorado.

HB 1128 was sponsored by Rep. Cole Wist (R), Rep. Jeff Bridges (D), Senator Kent Lambert(R) and Senator Lois Court (D), and was passed unanimously by the Legislature, signifying the bipartisan understanding that, in today’s climate, data security is a key issue that must be addressed. Nonetheless, the bill was initially met with opposition by large businesses that argued the certain heightened requirements were already obligatory under federal law, and that notification to the Attorney General within 7 days, was too short a timeframe to determine if misuse of data had occurred, which could result in fear over identity theft even when not present. The bill was then given an overhaul, taking into consideration the businesses’ concerns.

Key updates to Colorado’s new law include:

• Expansion of breach notification requirements.

The bill expands the definition of information that, if breached, would require notification to affected Colorado residents. Under the new law, “personal information” (PI) means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military, or passport identification number; driver’s license number of identification card number; medical information; health insurance identification number; or biometric data. PI also includes a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers that would permit access to an online account. Finally, PI includes a Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account.

In addition, businesses that have to report a data breach affecting Colorado residents will have to notify affected residents and, if more than 500 Colorado residents are affected by the incident, the state’s Attorney General not later than 30 days after the date of determination that a security breach occurred. Currently, this is the shortest time frame of any U.S. state (Florida also has 30-day notification period, but allows an additional 15 days under certain circumstances). Specific content requirements also were added to the state’s existing data breach notification law. Of note, the law does not create exemptions for entities subject to reporting requirements under HIPAA or the Gramm-Leach-Bliley Act, and if a conflict exists between the 30-day notice period and a time period under another state or federal law, the shortest notice period applies.

• Requirements for reasonable security procedures and data disposal.

The new law adds requirements for businesses to implement reasonable safeguards to protect personal identifying information (PII), as well as to have procedures for disposing of PII that is no longer needed.

More specifically, covered entities in Colorado that maintain paper or electronic documents that contain personal identifying information must to develop and maintain a written policy for the destruction and proper disposal of those documents. Additionally, covered entities that maintain, own, or license personal information, including those that use a nonaffiliated third party as a service provider, shall implement and maintain reasonable security procedures and practices to protect PII that are appropriate to the nature of the PII and the nature and size of the business and its operations. Moreover, unless the covered entity agrees to provide its own security protection for the information it discloses to a third party, the covered entity “shall require” the third party service provider to implement and maintain reasonable security procedures and practices as appropriate. Thus, as required in other states such as Massachusetts and California, businesses need to be reviewing services agreements with their third party vendors to ensure they include appropriate language to meet these requirements.

Note that with respect to the reasonable safeguard and data disposal requirements, PII is defined to include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device. This definition is not the same as the definition of “personal information” or “PI” with respect to the law’s breach notification requirement.

The Attorney General’s office has authority to enforce the new requirements, and may bring an action in law or equity to address violations of the law, and for other relief that may be appropriate to ensure compliance with the law or to recover direct economic damages resulting from the violation, or both.

This is a significant expansion of Colorado’s data breach notification law and the state’s rules for safeguarding personal data. Covered entities are advised to develop and implement practices and procedures appropriate for the PII and PI they own, license, or maintain including administrative, technical and physical safeguards.