Colorado’s new privacy legislation—the toughest in the nation—goes into effect September 1, 2018. The law is remarkable for both its broad definition of personally identifying information (PII), whether in hard copy and electronic form, and its broad application to any size business and government agency. Colorado’s attorney general participated in crafting the bill and is expected to enforce it closely. It’s time to learn these ABCs:
A is for Accountability
Any Colorado-based company that collects PII on Colorado citizens is a “covered entity” under the law’s provisions. Responsibility cannot be transferred to a third party. In fact, PII shared with another entity (e.g., cloud services provider) must be contractually protected by the same standard of care: written security measures and PII disposal policy. PII is defined as a Colorado resident’s first name or first initial and last name combined with one or more of the following in cleartext (i.e., humanly readable or usable):
- Government- or para-government issued identifiers (social security number; student, military, or passport identification number; driver’s license number)
- Biological or health-related identifiers (diagnostic/treatment information from a medical professional, health insurance identification number, biometric data)
- Digital identifiers (username or e-mail address, in combination with a password or security questions and answers permitting access to an online account; account number or credit/debit card number in combination with any required security code, access code or password permitting access to that account)
- Note: PII does not include publicly, lawfully available information from government records or widely distributed media (information that can be acquired from Dark Web sites is not “lawfully available”).
B is for Best Practices
- Written and enforced policy on PII retention, destruction, and disposal
- Encrypt or lock securely PII (and, ideally, other sensitive data at rest)
- Specific contractual compliance from third-party providers
- Documented and maintained “reasonable” security measures
- System security plan
- Robust access control practices (e.g., strong passwords, least privilege)
- Incident detection, response, and recovery plan
- Employee training
- Notification to affected Colorado resident within 30 days of data breach verification
- Note: PII collected in good faith by an employee or agent of a covered entity for the lawful operation of the business and not subject to unauthorized disclosure is not a “security breach.”
C is for Consequences
- PII breach notification must include the following elements:
- Date, estimated date, or estimated date range of the security breach
- Description of the PII acquired or believed to have been acquired
- Covered entity contact information
- Toll-free numbers, addresses, and websites of consumer reporting agencies
- Statement that the resident can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes
- Direct the affected Colorado resident(s) to change account access information
- Notify the Attorney General within 30 days if 500 or more Colorado residents are believed affected
- Colorado’s Attorney General can sue for noncompliance and collect damages for citizens.
- Criminal charges are possible.
This law describes PII and notifications in a way that is closer to the European Union’s General Data Protection Regulation (GDPR) but does not include provisions like the “right to be forgotten” nor the right to review and correct information. The underlying message, however, is that protection of one’s PII is a reasonable expectation—at least for Colorado residents. Time to learn and practice your ABCs!