Colorado enacts expansive consumer data protection law, includes 30-day breach notification requirement

Privacy/Cyber Risk & Data Security State Issues State Legislation Data Breach Consumer Protection

On May 29, the Colorado governor signed HB1128, which significantly expands Colorado’s consumer data protection laws to include a broader definition of personal information and a 30-day notice requirement regarding data breaches. The law, which is effective on September 1, requires covered entities—defined in the statute as, “a person . . . that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation”— to notify affected Colorado residents within 30 days after the determination that a security breach occurred. The notice to residents must include, among other things, (i) the date range of the security breach; (ii) a description of the personal information that was part of the security breach; (iii) contact information for the entity; and (iv) contact information for credit reporting agencies and the FTC. The act defines personal information to include a Colorado resident’s first name or first initial and last name in combination with the following non-encrypted or redacted items: “social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.” Other key elements of the law include:

• In addition to notifying affected residents, covered entities must notify the Colorado Attorney General within 30 days if the entity determines 500 or more people have been affected by the security breach, unless the entity determines that misuse of the information has not and is not likely to occur.
• If the covered entity determines 1000 or more people are affected by the security breach, “in the most expedient time possible and without unreasonable delay” the entity must notify all consumer reporting agencies.
• Covered entities are required to implement and maintain reasonable security procedures that are “appropriate to the nature of the personal identifying information and to the nature and size of the business and its operations.”
• If a covered entity discloses a consumer’s personal information to a third-party service provider, the covered entity must require the third-party to implement and maintain reasonable security procedures.

The law also includes security and notification requirements for Colorado governmental entities.