Data Breach in Colorado: what are the laws and regulations to be aware of?
Colorado data breach laws are covered under the Colorado Consumer Protection Act, including Colo. Rev. Stat. § 6-1-716. This extends to H.B. 1119, which was signed into law April 24, 2006, and which became effective on September 1, 2006, as well as HB 18-1128, which was signed into law May 29, 2018, and became effective September 1, 2018.
Legal Requirements and Purpose
Entities are defined as persons, businesses, or state agencies which either license or manage PI that has been computerized. Whether or not a given entity is located in Colorado, or conducts business there, this statute applies to them if they have information on the state’s residents.
A breach is defined as when PI that could compromise its owners in terms of integrity, security, or confidentiality is acquired by unauthorized access. Good faith data distribution isn’t a breach, provided the data isn’t misused.PI refers to when the first and last name, or the first initial and last name, of an individual, is leaked in relation to sensitive data. A PI breach occurs if the PI isn’t encrypted, if encryption keys have also been compromised, or if PI details in affected information haven’t been secured, redacted, or otherwise safeguarded to be
unreadable. Information attached to a resident’s name includes SSNs, ID numbers (including military IDs, passports, and driver’s licenses), medical information, health insurance numbers, or biometric information. Additionally, login information for email addresses is PI, including security questions.
Timeframes for Reporting
An entity must contact parties affected by a PI breach as soon as it’s feasibly possible to once the breach, or reasonable suspicion of the breach, is determined. Should a good-faith, a swift investigation determined no harm from the breach which could result in PI exploitation, notification isn’t required.
The AG must be notified should 500 or more residents of Colorado be affected. This notice must be provided no more than 30 days from the time a breach has been determined. This window is in consistence to measures taken to ascertain the scope of a breach or restore system functionality of affected computer networks. Also, all consumer reporting agencies who keep records on consumers nationally are to be notified should more than 1,000 residents be affected. If the entity manages data for a third party that it does not own, and which includes PI, a corresponding notice of a breach must be provided to that third party as soon as reasonably possible.
Means of notification include written notice at supplied postal addresses within entity reach, telephone notice, or electronic notice–provided said electronic notice is in compliance with the E-Sign Act (15 U.S.C. § 7001). If the email address of an affected party is compromised, that email can’t be used for notice. Electronic notice in this instance must consist of notifying the affected party on an IP address or other trusted online location said affected party customarily frequents. The notice must have several elements. It must include the date or estimated time of breach, what sort of PI was affected, info affected parties can use to contact breached Entities, toll-free phone numbers, addresses, and websites of major credit reporting agencies as well as the FTC (Federal Trade Commission), and a statement which informs residents they can get information from the FTC and credit reporting agencies pertaining to fraud alerts or security freezes.
The AG can seek both injunctive relief and direct damages from the entity to affected parties according to the situation.
Contact Security Compliance Associates to Learn More about the Laws and Regulations for a Data Breach in Colorado
SCA has years of experience helping organizations across the United States to prevent and manage potential data breaches. Contact us today at 727-571-1141 to schedule a no-cost consultation. You can also download our free Data Breach Response Guide to learn more about breach notification law in your state.