New Colorado Data Privacy Law Requires Businesses to Improve Protection of Personal Information

June 26, 2018

Colorado Governor John Hickenlooper recently signed into law House Bill 1128, which will take effect on September 1, 2018. The new law requires businesses owning, maintaining, or licensing personal information of Colorado residents to maintain a written policy for disposing documents containing personal identifying information; implement appropriate security procedures to protect personal information; and comply with breach notification requirements, including an accelerated 30-day timeframe for notification to Colorado residents impacted by a data breach. 

This LawFlash provides an overview of the key requirements of the new law.

Data Disposal Requirements

House Bill 1128 requires that businesses maintaining personal identifying information (PII) of Colorado residents (Covered Entities) implement a written policy for “the destruction or proper disposal” of paper and electronic documents containing PII.

Security Procedure Requirements

To protect PII, Covered Entities must “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the [PII] and the nature and size of the business and its operations.”[1] This requirement also extends to third-party service providers: “Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices.” These security procedures must be appropriate to the nature of the PII and reasonably designed to protect the PII from unauthorized access.

Breach Notification Requirements

A Covered Entity must notify individuals affected by a data breach within 30 days after the entity determines that a breach occurred that resulted in, or is likely to result in, the misuse of personal information. Florida is the only other US state with such a short notification requirement, although Florida allows for a 15-day extension under certain circumstances.

The new law expands the categories of information that will require a breach notification if compromised. This “personal information” includes the following:

  • A Colorado resident’s first name or first initial, when such information is not encrypted, redacted, or otherwise secured, in combination with any one of the following:
    • Social security number
    • Student, military, or passport identification number
    • Driver’s license number or identification card number
    • Medical information
    • Health insurance identification number
    • Biometric data
  • A Colorado resident’s username or email address, in combination with a password or security questions/answers that would grant access to an online account.
  • A Colorado resident’s credit or debit card number or account number in combination with a required security code, password, or access code that would grant access to the account.

Covered Entities are required to notify the Colorado Attorney General if the breach affects more than 500 Colorado residents, and must notify credit reporting agencies if the breach affects more than 1,000 Colorado residents.

The law also sets forth new requirements for the content of the breach notification, including the date of the breach, a description of the PII affected, contact information for the covered entity, and numbers, addresses, and websites for credit reporting agencies and the Federal Trade Commission.

Recommendations and Next Steps

Businesses maintaining Colorado resident PII should ensure that their data protection policies comply with House Bill 1128 prior to September 1, 2018. In particular, businesses should revisit their document retention policies to ensure that they address the destruction of paper and electronic documents containing PII, and confirm that contracts with any third-party vendors handling Colorado resident PII contain appropriate security procedures.

Businesses also should be aware that in the event of a breach or disclosure of personal information involving Colorado residents, notice must be provided to such affected residents within 30 days of discovery and include the newly required information. Additionally, businesses should consider updating incident response plans or playbooks in light of the new requirements.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Greg Parks
Ezra Church
Kristin Hadgis

San Francisco
Reece Hirsch

Washington, DC
Ronald W. Del Sesto, Jr.

[1] HB 1128 § 6-1-713.5.