COLORADO DATA BREACH NOTIFICATION (2018 Update)

Jan. 28, 2019 • by Jeffrey Pote

Share on:

Today is Data Privacy Day, a day promoting the importance of - as the name suggests - data privacy. In a world of online and digital everything, consumers increasingly have to rely on businesses to protect their most sensitive information. As consumers we deserve to be protected, but satisfying these escalating demands is often a challenge for business owners.

In honor of Data Privacy Day, I thought I’d pick up where I left off in my previous post. There, I discussed Colorado’s Data Privacy Act and, specifically, its requirements regarding the security and disposal of sensitive personal information collected by businesses on Colorado residents.

This entry looks at the updated requirements that the law imposes regarding data breach response and notification. If you read no further than this sentence, any business owner should be aware that the law requires prompt investigation and notice within thirty (30) days. More on this below, but first a couple points of clarification:

An ethernet cable is about to be plugged into the side of a laptop, connecting the device to the Internet, allowing access to a world of information and a world the access to your personal information.

Discussing "data breaches" might make you think of something akin to cyberwarfare, but breaches can occur in a range of much more ordinary situations. For example, a breach may occur when an employee clicks on a seemingly innocuous link in an email, or because weak passwords on a local network or screensaver permit unauthorized access to computer files. Alternatively, a breach may result from a lost or misplaced phone, laptop or file folder.

What makes for a data breach is that there has been – or reasonably likely has been – unauthorized access or acquisition of sensitive information – in Colorado, what the Act calls “personal information” (PI).FN1 PI includes three kind of sensitive information:

  1. An individual’s first name or first initial and last name combined with any of the following:

    1. An identification card number (including a Social Security number, Driver’s License number, Passport number, or Student, Military, or Health Insurance identification number),

    2. Medical information (including information about medical or mental health treatment or diagnosis), or

    3. Biometric data (e.g., finger prints, retinal scans) - meaning unique measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account;

  2. An individual’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; and

  3. An individual’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.FN2

The law does not apply to encrypted or redacted PI unless the information accessed included access to the encryption key or other means of deciphering the PI.

Prompt Response:

Under Colorado’s updated data privacy laws, a prompt response is required when there is “sufficient evidence” of a data breach. Since the requirement depends on the evidence available, ignorance will not be an excuse to compliance when there was reason to know that a breach had occurred. As a result, the Colorado law shifts the burden to businesses to make sure that they are paying attention to who may be accessing their PI.

When there is sufficient evidence of a breach, the business must conduct a good faith investigation, the purpose of which is to determine whether and, if so, what PI was accessed or compromised and whether it is likely to be misused. The affected business has thirty (30) days to make its determinations, at which point proper notification is required.

Notice within thirty (30) days:

Unless the investigation concludes that no PI has been misused or is reasonably likely to be misused, then the business must provide notice to the affected Colorado residents. This notice must be provided in the most expedient manner possible and without unreasonable delay, but no later than thirty (30) days from the date when there first was sufficient evidence of a data breach.FN3

This notice should include information about the breach (e.g. its date(s) and a description of the information affected) as well as contact information for the affected business, consumer reporting agencies, and federal trade commission (FTC).FN4 It is not a good idea to include any PI in any notification.

Additionally, if the breach affected 500 or more Colorado residents, the Colorado Attorney General must also be notified,FN5 and if the breach affected more than 1,000 Colorado residents, the business must notify certain nationwide, consumer reporting agencies.FN6

Generally, compliance with another state or federal law or regulation that governs the business’s PI satisfies the data privacy law’s requirements. However, should another law or regulation permit notice in a period longer than 30 days, notice still must be made within 30 days for compliance with the Colorado law. Furthermore, Colorado law still requires notification of the Attorney General, when 500 or more Colorado residents are affected by the breach.

If you need legal assistance drafting or reviewing an data security or privacy policy, please Reach out, Today!

Additional information can be found on the Colorado attorney general's website - the FAQ is here.


Click Here to Toggle End Notes:

FN1: The previous post discusses what the Act calls “personal identifying information” (PII). PII is relevant to the security and disposal requirements under the law, but not the incident response and breach notification requirements discussed here.

FN2: C.R.S. § 6-1-716(1)(g)(I)(A)-(C). But note that PI does not include any information that is legally available to the general public through government records or widely distributed media.

FN3: C.R.S. § 6-1-716(2)(a3). An exception to the thirty-day requirement is permitted in the event that law enforcement determines that notice would impede criminal investigation of the incident.

FN4: C.R.S. § 6-1-716(2)(a2).

FN5: At the time of posting, the Attorney General can be notified by contacting the Consumer Protection Program Manager at: databreach@coag.gov.

FN6: At the time of posting, the relevant credit reporting agencies are: (a) Equifax, (b) Experian, and (c) Transunion.



Stay Informed

Subscribe below to receive a newsletter focusing on legal issues relevant to small business owners.