Colorado Governor John Hickenlooper recently signed into law House Bill 1128, which will take effect on September 1, 2018. The new law requires businesses owning, maintaining, or licensing personal information of Colorado residents to maintain a written policy for disposing documents containing personal identifying information; implement appropriate security procedures to protect personal information; and comply with breach notification requirements, including an accelerated 30-day timeframe for notification to Colorado residents impacted by a data breach.
This LawFlash provides an overview of the key requirements of the new law.
House Bill 1128 requires that businesses maintaining personal identifying information (PII) of Colorado residents (Covered Entities) implement a written policy for “the destruction or proper disposal” of paper and electronic documents containing PII.
To protect PII, Covered Entities must “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the [PII] and the nature and size of the business and its operations.” This requirement also extends to third-party service providers: “Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices.” These security procedures must be appropriate to the nature of the PII and reasonably designed to protect the PII from unauthorized access.
A Covered Entity must notify individuals affected by a data breach within 30 days after the entity determines that a breach occurred that resulted in, or is likely to result in, the misuse of personal information. Florida is the only other US state with such a short notification requirement, although Florida allows for a 15-day extension under certain circumstances.
The new law expands the categories of information that will require a breach notification if compromised. This “personal information” includes the following:
Covered Entities are required to notify the Colorado Attorney General if the breach affects more than 500 Colorado residents, and must notify credit reporting agencies if the breach affects more than 1,000 Colorado residents.
The law also sets forth new requirements for the content of the breach notification, including the date of the breach, a description of the PII affected, contact information for the covered entity, and numbers, addresses, and websites for credit reporting agencies and the Federal Trade Commission.
Businesses maintaining Colorado resident PII should ensure that their data protection policies comply with House Bill 1128 prior to September 1, 2018. In particular, businesses should revisit their document retention policies to ensure that they address the destruction of paper and electronic documents containing PII, and confirm that contracts with any third-party vendors handling Colorado resident PII contain appropriate security procedures.
Businesses also should be aware that in the event of a breach or disclosure of personal information involving Colorado residents, notice must be provided to such affected residents within 30 days of discovery and include the newly required information. Additionally, businesses should consider updating incident response plans or playbooks in light of the new requirements.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Ronald W. Del Sesto, Jr.
 HB 1128 § 6-1-713.5.