On May 29, 2018, Governor John Hickenlooper signed into law House Bill 18-1128 (the “Data Privacy Act”). The Data Privacy Act creates new standards for how businesses and governmental entities (i) protect the personal information of Colorado residents, including providing for the proper disposal of such data, and (ii) alert Colorado residents when a breach involving their data has occurred. The Act appears to apply to out-of-state businesses that maintain the data of Colorado residents. The Data Privacy Act goes into effect on September 1, 2018.
The most confusing part of the Data Privacy Act is that while the standards for maintaining and disposing of data apply to Personal Identifying Information (“PII”) (defined below), the data breach notification rules apply to Personal Information (“PIn”) (also defined below). Below we will first address the standards for properly protecting PII and then turn to the data breach notification requirements for PIn.
Defined Terms Related to Protecting Personal Identifying Information.
|
Covered Entity |
A person that maintains, owns or licenses PII in the course of such person’s business, vocation, or occupation. Covered Entity does not include a person acting as a third-party service provider. |
|
Personal Identifying Information (PII) |
A social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; Biometric Data; an employer, student, or military identification number; or a financial transaction device. |
|
Biometric Data |
Unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account. |
Protection of Personal Identifying Information. A Covered Entity that maintains, owns, or licenses PII of an individual residing in the State of Colorado must implement and maintain reasonable security practices and procedures to protect the PII from unauthorized access, use, modification, disclosure, or destruction. A Covered Entity’s practices and procedures must be reasonable and appropriate in light of the nature of PII, as well as the nature and size of the Covered Entity and its operations. If a Covered Entity already maintains procedures for protecting PII in order to comply with laws, guidances, or guidelines established by a federal or state regulator, then the Covered Entity is deemed to be in compliance with the Colorado Data Privacy Act’s requirement to protect PII.
Covered Entities that disclose PII to a third-party service provider for the provider to maintain, store, or process must require such providers to implement and maintain reasonable security practices and procedures. The only exception is if the Covered Entity has effectively eliminated the third-party service provider’s ability to access the PII, notwithstanding the third-party service provider’s physical possession of such information.
Destruction of Records Containing Personal Identifying Information. Each Covered Entity that maintains paper or electronic documents containing PII must develop a written policy to destroy or dispose of the documents such that any PII is rendered unreadable or indecipherable. The policy should specify that all records containing PII will be destroyed after the records are no longer necessary, unless federal or state law requires otherwise. If a Covered Entity already maintains procedures for disposing of PII in order to comply with federal or state laws, then it is deemed to be in compliance with the Colorado Data Privacy Act regarding the disposal of records.
Defined Terms Related to Notifying Affected Individuals of a Data Breach.
|
Personal Information (PIn) |
A Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method: social security number; student, military, or passport identification number; driver’s license number or identification number; Medical Information, health insurance identification number or Biometric Data.
“Personal Information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
|
|
Medical Information |
Any information about a consumer’s medical or mental health treatment or diagnosis by a healthcare professional.
|
|
Encrypted |
Rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security. |
|
Security Breach |
The unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of Personal Information maintained by a Covered Entity. Good faith acquisition of Personal Information by an employee or agent of a Covered Entity for the Covered Entity’s business purpose is not a Security Breach if the Personal Information is not used for a purpose unrelated to the lawful operation of the business or is not subject to unauthorized disclosure. |
Duty to Investigate and Notify Affected Individuals. If a Covered Entity suspects a Security Breach may have occurred, it must conduct a good faith and prompt investigation. If the investigation reveals that PIn has not been misused and misuse is not reasonably likely to occur, then the Covered Entity does not need to notify anyone, but should address any vulnerabilities identified during the investigation.
Otherwise, the Covered Entity must notify affected Colorado residents of the breach as quickly as possible and without unreasonable delay, but at least within 30 days after the Covered Entity has sufficient information to conclude that a Security Breach occurred. The Covered Entity also must provide notice if encrypted data is taken during the Security Breach along with the encryption key. The statute sets forth what information should be provided in the notification; specific warnings must also be included in the notification if the Security Breach involves a Colorado resident’s username or email address and either a password or the answers to security questions. Additional information may be furnished in the notice if the Covered Entity has to include specific elements to comply with other state and/or federal laws, such as HIPAA.
If the Covered Entity must notify more than 500 Colorado residents of a Security Breach, then it also must notify the Colorado Attorney General by the deadline for notifying affected residents. If the Covered Entity must notify more than 1,000 Colorado residents of a Security Breach, then it must notify all national consumer reporting agencies in the most expedient time possible and without reasonable delay of the date on which notice of the Security Breach was provided to affected residents and the approximate number of affected residents. The Covered Entity is not required to provide the names of all affected residents to these agencies. Also, Covered Entities subject to Title V of the federal Gramm-Leach-Bliley Act are not required to notify national consumer reporting agencies.
Third-Party Services Providers. If a third-party service provider that is maintaining PIn for a Covered Entity believes a Security Breach may have occurred, the provider must notify the Covered Entity in the most expedient time possible and without unreasonable delay upon discovering the Security Breach if the misuse of PIn has occurred or is likely to occur. The provider must cooperate with the Covered Entity, which includes sharing information relevant to the Security Breach.
Delay of Notification Due to Law Enforcement. A Covered Entity may delay notifying affected Colorado residents of a Security Breach if a law enforcement agency determines that providing such notice may impede a criminal investigation. Once law enforcement (if involved) determines notice will not impede an investigation, the Covered Entity will be expected to notify affected residents and the Colorado Attorney General within 30 days and the above timelines for notifying consumer reporting agencies apply.
Enforcement. The Colorado Attorney General may sue a Covered Entity that fails to comply with the Colorado Data Privacy Act. The Attorney General may request that a court order a Covered Entity to comply with the Act, award direct economic damages resulting from the violation, or both. In certain cases, violations may lead to criminal prosecution.
TAKEAWAYS
-
Determine if the Colorado Data Privacy Act applies to your business—do you maintain, own, or license PII or PIn of Colorado residents on behalf of your entity or another entity?
-
Review and update your business’s data protection policies and practices for PII, data retention schedules, and policies regarding data disposal.
-
Review and update your business’s data breach response plan. Is your business prepared operationally to notify affected Colorado residents of a Security Breach within 30 days of completing a breach investigation?
-
Review and update contracts with third-party service providers to require quick notification of a Security Breach.
-
Review and update cybersecurity insurance policies. If your business experiences a cyber Security Breach, will your business’s insurance cover the costs of investigation and notification?
