While everyone is waiting for California’s Data Protection law to come, another “C”-state has already enacted its law: Welcome to Colorado!

By Carolin Brucker Cabe, an Associate at XPAN Law Group, LLC.

While everyone who is remotely familiar with data protection and privacy laws and regulations has probably come across the abbreviation “CCPA” (or “CaCPA”) by now and automatically thinks of California, the abbreviation very well could point to another state, which has enacted one of the most rigorous data protection legislations in the United States. Starting with a “C” just like California, Colorado is where we would like to lay the focus on in this week’s blog post.

Colorado’s House Bill 18-1128, titled “Concerning Strengthening Protections for Consumer Data Privacy” targets “covered entities” to comply with new rules regarding how to handle “Personal Information”, or in short “PI”. The law went into effect on September 1, 2018, somewhat unnoticed with everyone’s attention focussing on the West Coast (or Europe’s General Data Protection Regulation).

Not only did Colorado enact a set of new data security standards, but also amended its existing data breach notification regime introducing more stringent security breach notification timeframes.

Who does the law apply to?

If you are a “covered entity”, which is a person as defined in section 6-1-102 (6), that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation of a resident of Colorado, the law applies to you. All businesses and government entities that keep either paper or electronic documents containing Coloradans’ personal identifying information – may it be a one-person operation or multi-national corporation – are therefore subject to the law.

Overview over the basic requirements of the law

Covered entities:

As stated above, the law applies to covered entities, which includes businesses that maintain, own, or license computerized data that includes personal identifying information about Colorado residents. Such “covered entities” must “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations”. Section 6-1-713.5 (1). Unfortunately, the statute does not define “reasonable security procedures” and, by omitting a definition for same, joins the ranks of – among others – the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), which also lacks certain definitions.

It should be noted that though the Colorado law uses the terminology of “covered entities” familiar to us due to the same terminology used by HIPAA, the term in the Colorado law is much broader.

Personal identifying information:

“Personal identifying information” under the Data Privacy Law of Colorado means “a social security number; a personal identification number; a password; a pass code; an
official state or government-issued driver’s license or identification card
number; a government passport number; biometric data; an employer, student, or military identification number; or a financial transaction device”. Section 6-1-713 (2)(b).

These data elements furthermore become part of a more expanded definition of “personal information” as any one or more of the following three sets of information:

“(A) ‘Personal Information’ means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military, or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data; (B) A Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; or (C) A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account”. Section 6-1-716 (1)(g)(I)(A)-(C).

Third-Party Service Provider:

Third-Party Service Provider means “an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity”. Section 6-1-713.5 (5). Businesses that disclose PI to third-party service providers must ensure that these service providers also implement and maintain “reasonable security procedures and practices” that are “(a) appropriate to the nature of the personal identifying information disclosed to the third-party service provider; and (b) reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction”. Section 6-1-713.5 (2).

This requirement does not apply, however, if the business retains primary responsibility for implementing reasonable data security procedures and practices and implements and maintains technical controls that either (1) help protect the PI from unauthorized access, use, modification, disclosure, or destruction; or (2) “effectively eliminate” the service provider’s ability to access the PI, notwithstanding their physical possession of it. Section 6-1-713.5 (3).

Written Policies:

Businesses that maintain paper or electronic documents containing personal identifying information must develop and maintain written policies for the destruction or proper disposal of same when such paper or electronic documents are no longer needed. Section 6-1-713 (1).

Security Breach:

Security Breach is defined as “the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity”. Section 6-1-716 (1)(h).

What to do when a data breach occurred?

Notification Requirements:

Notice must be made to the affected Colorado residents “in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach has occurred”. Section 6-1-716 (2)(a) (emphasis added).

“Determination that a security breach has occurred” means “the point in time at which there is sufficient evidence to conclude that a security breach has taken place”. Section 6-1-716 (1)(c).

Although the definition of security breach cited above suggests that only “unencrypted” computerized data has to be affected, the statute also provides that notification must be made when (1) “encrypted or otherwise secured personal information” is disclosed, and (2) “the confidential process, encryption key, or other means to decipher the secured information was also acquired in the security breach or was reasonably believed to have been acquired”. Section 6-1-716 (2)(a.4).

If a business reasonably believes that the security breach has affected 500 or more Colorado residents, it must also provide notice to the attorney general. In this instance, notice has to be given in the same “most expedient time possible and without unreasonable delay, but not later than thirty days”. Section 6-1-716 (2)(f)(I).

Note that a good faith acquisition of personal information by an employee or agent for business purposes is not a security breach if the information is not used for purposes other than lawful business operations or is not subject to further unauthorized disclosure. Section 6-716 (1)(h).

Content Requirements:

The notice to the affected Colorado residents must include:

  • The date, estimated date, or estimated date range of the security breach;
  • A description of the personal information that was acquired ro reasonably believed to have been acquired as part of the security breach;
  • Information that the resident can use to contact the covered entity to inquire about the security breach;
  • The toll-free numbers, addresses, and websites for consumer reporting agencies;
  • The toll-free number, address, and website for the federal trade commission; and
  • A statement that the resident can obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes.

Section 6-1-716 (2)(a.2).

If the security breach involves a username or email address combined with a password or security question and answer that would permit online access to an account, businesses must direct affected individuals to change their password and security questions and answers, or to take other steps appropriate to protect the individual’s online account. Section 6-1-716 (2)(a.3).

If the breach involves the log-in credentials of an email account provided by the business itself, the business must provide the notice through a method other than that email address and by clear and conspicuous notice delivered at the time the individual is connected to the online account from an IP address or online location the covered entity knows the individual customarily accesses the account from. Section 6-1-716 (2)(a.3).

Substitute Notice:

Same is permitted when (1) the cost of providing notice will exceed two hundred fifty thousand dollars ($250,000), (2) the affected class of persons to be notified exceeds two hundred fifty thousand Colorado residents (250,000), or (3) the covered entity does not have sufficient contact information to provide notice.

Substitute Notice can consist of email notice if the business has email addresses for members of the affected class, conspicuous posting of the notice on the entity’s website, and notification to major statewide media. Section 6-1-716 (1)(f)(IV).

What to take away from the new law?

The law establishes three key responsibilities for businesses and government entities that keep either paper or electronic documents containing Coloradans’ personal identifying information:

First, the law that requires disposal of PI now requires written policies governing the disposal of both paper and electronic records containing PI;

Second, the new law requires covered persons and entities to take reasonable steps to protect PI; and

Third, the law that requires notification of data security breaches now requires detailed notice to consumers within 30 days and, in certain circumstances, notice to the Attorney General.


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.