Colorado Notification of Security Breach
C.R.S. § 6-1-716
SUMMARY:
EFFECTIVE. September 1, 2006
WHO DOES THIS LAW APPLY TO. (1) Any person or entity that conducts business in Colorado and owns or licenses computerized data that includes Colorado resident’s Personal Information; and (2) any person or business that maintains computerized data that it does not own which includes Colorado resident’s Personal Information.
WHAT IS A BREACH. An unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of Personal Information of a Colorado resident.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not encrypted, redacted, or secured by any other method:
-
Social Security number.
-
Driver’s license or identification card number.
-
Student, military, or passport identification card number.
-
Health insurance identification number
-
Biometric data to include fingerprints, iris recognition, retinal scans, that are used to authenticate an individual when they access an online account.
-
Account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to a financial account.
-
Username or email address, in combination with a password or security questions and answers that would permit access to an online account.
Personal Information does not include publicly available information, information that is lawfully available from Federal, State, or local government records, or widely distributed media.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Colorado resident(s) affected. No notification is required if the person, business, or a law enforcement agency determines that the Personal Information has not been, or is not likely to be, misused.
-
If the security breach is reasonably believed to have affected 500 or more Colorado residents, you must provide notice to the Colorado Attorney General. You must provide this notice in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that a security breach occurred. Notice to the Colorado Attorney General should be submitted using the Data Breach Reporting Form
-
If more than 1,000 Colorado residents are involved in a breach, the person or business shall also notify all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the date of the notice, and the approximate number of individuals involved. Notice to the consumer reporting agencies does “not apply to a person who is subject to Title V of the Federal Gramm-Leach Bliley Act, 15 U.S.C. § 6801, et seq.”
EXCEPTION. This Section does not apply to the following:
-
A good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not subject to further unauthorized disclosure.
-
A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this section, is considered in compliance with this Section if the affected Colorado individuals are notified by the person or business in accordance with its policies.
-
Gramm-Leach-Bliley Act exception. An Entity that is subject to, and in compliance with, the privacy and security requirements of Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et.al.,
-
An individual or business that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent most expedient time possible, without unreasonable delay, and within 30 days and consistent with any measures necessary to determine the scope of the breach and to restore integrity to the data system. Notification may be delayed if it will impede a criminal investigation and requested by law enforcement. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written notice to the postal addresses on file.
-
Telephone.
-
Electronic (if primary means of communication or consistent with 15 U.S.C. § 7001, et seq.)
-
Substitute notice as provided below.
Notification to affected individuals must include the following:
-
The date, estimated date, or estimated date range of the security breach.
-
A description of the personal information that was acquired as part of the security breach (or that is reasonably believed to have been acquired).
-
Information that a resident can use to contact you to inquire about the security breach.
-
A statement that the resident can obtain information from the Federal Trade Commission (FTC) and the credit reporting agencies about fraud alerts and security freezes.
-
The toll-free numbers, addresses, and websites for consumer reporting agencies.
-
The toll-free number, address, and website for the FTC.
If the security breach included a resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account, you must also direct the affected residents to take steps to protect their accounts that may be accessed with the compromised credentials, i.e., instruct them to change their user password and/or security questions and answers.
SUBSTITUTE NOTICE. If the person or business can demonstrate that the cost of providing notice will exceed $250,000, or that the affected individuals to be notified exceeds 250,000 Colorado residents, or the person or business does not have sufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email, if the person or business has an Email address for the affected individual.
-
Conspicuous posting of the notice on the person’s or commercial entity website.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person or business maintains unencrypted data that includes Personal Information that it does not own, then the person or business shall immediately notify and cooperate with the owner or licensee regarding the breach. Cooperation shall include sharing all relevant information pertaining to the breach. The person or business that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. The Attorney General may “bring an action in law or equity to address violations” of this Section, or to recover economic damages resulting from a violation, or both.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES. Colorado requires certain persons and entities that maintain personal identifying information (“PII”) in paper or electronic form to establish written policies governing the disposal of PII.
DATA DISPOSAL PROVISIONS. Colo. Rev. Stat. § 6-1-713. If you maintain PII, in paper or electronic form, you are required to develop a written policy to ensure that the PII is destroyed or properly disposed of when it is no longer needed. You are required to implement and maintain reasonable security procedures and practices to protect PII, taking into account the nature and size of your business and the type of PII you collect.
LEGISLATIVE UPDATES.
H.B. 1119 – Signed into law on 4/24/2006, Effective 9/1/2006.
H.B. 18-1128 – signed into law on 5/29/2018, Effective 9/1/2018
For more information, see here: https://leg.colorado.gov/sites/default/files/images/olls/crs2016-title-06.pdf
AND
https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=f1895729-4b6c-4d8c-9529-ede18fe1d884&nodeid=AAGAABAABAAIAAU&nodepath=%2FROOT%2FAAG%2FAAGAAB%2FAAGAABAAB%2FAAGAABAABAAI%2FAAGAABAABAAIAAU&level=5&haschildren=&populated=false&title=6-1-716.+Notification+of+security+breach.&config=014FJAAyNGJkY2Y4Zi1mNjgyLTRkN2YtYmE4OS03NTYzNzYzOTg0OGEKAFBvZENhdGFsb2d592qv2Kywlf8caKqYROP5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A61P5-X0P1-DYDC-J4YD-00008-00&ecomp=vg1_9kk&prid=669f61fc-710c-4697-afd2-26af2398b8c6
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.