Colorado has had data privacy laws for many years. This year the Colorado legislator took up enhancements to these laws in House Bill 18-1128. The act was signed into law on May 29, 2018, by Governor Hickenlooper. The crux of the law is that all companies in Colorado with data about Colorado residents have a responsibility to protect the data about Colorado residents. The biggest change is that if there is a breach of data a company only has 45 days to report the data loss to the people it affects.
The definition of "personal identifying information" or PII is what you would expect.
PII includes, " [a] social security number; a personal identification number; a password; a pass code; an official state or government-issued driver's license or identification card number; a government passport number; biometric data, AS DEFINED IN SECTION 6-1-716 (1)(a); an employer, student, or military identification number; or a financial transaction device."
The law applies to any organization, for-profit or not-for-profit that collects data or processes the data. The law requires keeping "reasonable security procedures." Denver DataMan already works with our customers to put in places security procedures and we will be making sure that these procedures meet the standards that the law requires which we believe it will, knowing all along that security is a constantly evolving landscape.
The law does make clear that there are different expectations depending on the size of the company the type of the data that is being kept. For example, a company that has a blog that lets users log on with usernames and passwords has a different level of expectations for security than a small insurance office keeping social security numbers.
It is the responsibility of the company who chooses a third party such as Denver DataMan to make sure that the company is keeping the data security when it is in their possession. Denver DataMan has always taken this very seriously and has a strict protocol for working with customer data. Any vendor you work with and provide your customer data to should have these types of procedures in place.
The law provides very clear guidance on the type of notice that must be given and how notice must be provided in the event that there is a security breach.
The Attorney General's office not only has the ability to help collect economic damages. It also has been granted the authority to investigate and prosecute criminal violations of this law.
The law will go into effect on the 1st of September 2018.
This is not a legal opinion. For legal advice on the specifics of how this law pertains to you and your company make sure to contact your attorney.