Today is Data Privacy Day, a day promoting the importance of - as the name suggests - data privacy. In a world of online and digital everything, consumers increasingly have to rely on businesses to protect their most sensitive information. As consumers we deserve to be protected, but satisfying these escalating demands is often a challenge for business owners.
In honor of Data Privacy Day, I thought I’d pick up where I left off in my previous post. There, I discussed Colorado’s Data Privacy Act and, specifically, its requirements regarding the security and disposal of sensitive personal information collected by businesses on Colorado residents.
This entry looks at the updated requirements that the law imposes regarding data breach response and notification. If you read no further than this sentence, any business owner should be aware that the law requires prompt investigation and notice within thirty (30) days. More on this below, but first a couple points of clarification:
Discussing "data breaches" might make you think of something akin to cyberwarfare, but breaches can occur in a range of much more ordinary situations. For example, a breach may occur when an employee clicks on a seemingly innocuous link in an email, or because weak passwords on a local network or screensaver permit unauthorized access to computer files. Alternatively, a breach may result from a lost or misplaced phone, laptop or file folder.
What makes for a data breach is that there has been – or reasonably likely has been – unauthorized access or acquisition of sensitive information – in Colorado, what the Act calls “personal information” (PI).FN1 PI includes three kind of sensitive information:
An individual’s first name or first initial and last name combined with any of the following:
An identification card number (including a Social Security number, Driver’s License number, Passport number, or Student, Military, or Health Insurance identification number),
Medical information (including information about medical or mental health treatment or diagnosis), or
Biometric data (e.g., finger prints, retinal scans) - meaning unique measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account;
An individual’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; and
An individual’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.FN2
The law does not apply to encrypted or redacted PI unless the information accessed included access to the encryption key or other means of deciphering the PI.
Under Colorado’s updated data privacy laws, a prompt response is required when there is “sufficient evidence” of a data breach. Since the requirement depends on the evidence available, ignorance will not be an excuse to compliance when there was reason to know that a breach had occurred. As a result, the Colorado law shifts the burden to businesses to make sure that they are paying attention to who may be accessing their PI.
When there is sufficient evidence of a breach, the business must conduct a good faith investigation, the purpose of which is to determine whether and, if so, what PI was accessed or compromised and whether it is likely to be misused. The affected business has thirty (30) days to make its determinations, at which point proper notification is required.
Notice within thirty (30) days:
Unless the investigation concludes that no PI has been misused or is reasonably likely to be misused, then the business must provide notice to the affected Colorado residents. This notice must be provided in the most expedient manner possible and without unreasonable delay, but no later than thirty (30) days from the date when there first was sufficient evidence of a data breach.FN3
This notice should include information about the breach (e.g. its date(s) and a description of the information affected) as well as contact information for the affected business, consumer reporting agencies, and federal trade commission (FTC).FN4 It is not a good idea to include any PI in any notification.
Additionally, if the breach affected 500 or more Colorado residents, the Colorado Attorney General must also be notified,FN5 and if the breach affected more than 1,000 Colorado residents, the business must notify certain nationwide, consumer reporting agencies.FN6
Generally, compliance with another state or federal law or regulation that governs the business’s PI satisfies the data privacy law’s requirements. However, should another law or regulation permit notice in a period longer than 30 days, notice still must be made within 30 days for compliance with the Colorado law. Furthermore, Colorado law still requires notification of the Attorney General, when 500 or more Colorado residents are affected by the breach.
Additional information can be found on the Colorado attorney general's website - the FAQ is here.