In the wake of massive breaches, the Cambridge Analytica scandal and the General Data Protection Regulation (GDPR) going into effect, all 50 states now have data breach laws in place.  However, Colorado just passed the “Protections for Consumer Data Privacy,” which now sets the bar as the most stringent requirements in the U.S.  This law substantially tightens reporting requirements for organizations hit by a data breach and requires much firmer measures be taken to protect consumers’ personal information.  

The new law requires organizations to maintain a policy for disposing documents with consumer data and notify Colorado residents of any potential personal information exposure no later than 30 days after discovering a data breach. The 30-day notification window does not provide for any specific exemptions and is the shortest of any state.  Most states require that organizations notify state residents in a reasonable amount of time, but do not mandate a specific period. Of the states that have picked time frames, most have gone with 45 days.

Below is a breakdown of the new rules, which go into effect on September 1, 2018:

Broadening the definition of Personally Identifiable Information (PII)

Under the new law, PII now includes an individual’s name in combination with a student, military, or passport number, medical information, a health insurance identification number, or biometric data.  In addition, the definition of PII will also include credentials for an online account, as well as payment card or financial account information, even if not in combination with an individual’s name.

Newly mandated data security procedures and practices

A covered entity that maintains, owns or licenses PII of a Colorado resident must “implement and maintain reasonable security procedures and practices” to protect the data from “unauthorized access, use, modification, disclosure or destruction” and it must also require third-party providers to do the same.

Data breach notification obligations

Colorado residents must be notified of a security breach within 30 days of the event, “in the most expedient time possible and without unreasonable delay.” In cases where Colorado’s bill conflicts with federal law, the regulation with the shortest time frame” takes precedent.

All organizations dealing with data of Colorado residents now need to prepare for this shortened notification window.  This deadline makes it even more important than ever for organizations to have solid breach response plan in place.  Breach investigations need to run in an organized, quick manner when there is only a 30-day window to work with.  Colorado organizations need to prepare while the rest of the country needs to watch to see if other states will follow in suit.