The Colorado legislature recently passed a new data privacy law, House Bill 18-1128, which heightens requirements for corporate and public entities handling personal information of Colorado residents.  Effective September 1, 2018, the law aims to strengthen consumer data privacy by 1) shortening the time frame required to notify affected Colorado residents and the Attorney General of a data breach within 30 days of determining a data breach occurred; 2) requiring business and third party entities to adopt “reasonable security procedures” to safeguard personally identifiable information (“PII”) handled; and 3) imposing data disposal rules for such entities.

Notable provisions of the bill include:

  • Expanding the Definition of Personal Information: The Colorado bill expands the definition of PII to a resident’s first name or first initial and last name plus one or more additional element: 1) Social Security Number or Personal ID Number; 2)  Passport Number; 3) Driver’s License or ID Card Number; 4) Employer, Student, or Military ID Number; 5) Password or Passcode; 6) Biometric Data; or 7) Financial Transaction Device (e.g., credit or debit card, etc.).
  • Increasing Data Safeguarding and Disposal Responsibilities:  Entities that possess PII of Colorado residents are required to implement “reasonable security procedures” appropriate to the nature of the data and the nature and size of the organization.   Entities must also maintain a written policy requiring destruction of PII when it is “no longer needed” in order to make the data “unreadable or indecipherable.”
  • Third Party Enforcement:  Entities that provide PII to a third party service provider must require that third party to implement and maintain the same reasonable security procedures as required of the entity.  However, an entity may decide to provide its own reasonable security protection for the information it provides to the service provider in order to eliminate the third party enforcement requirement.

For further information, please contact one of the attorney authors or your regular C&M professional.

Print:
EmailTweetLikeLinkedIn
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office where he is co-chair of the firm’s Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office where he is co-chair of the firm’s Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

 

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is an associate in Crowell & Moring’s Washington, D.C. office where he is a member of the firm’s Government Contracts and Privacy & Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is an associate in Crowell & Moring’s Washington, D.C. office where he is a member of the firm’s Government Contracts and Privacy & Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is also a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G).