August 29, 2018
By Rudy E. Verner and Jacob Scarr
Colorado is one of the latest states to pass updates strengthening its consumer privacy regulations. Colorado’s new data protection law, C.R.S. § 6-1-713, includes changes to the state’s breach notification requirements, data protection standards, and data disposal standards. The regulations, which go into effect September 1, 2018, require companies doing business in Colorado to comply with:
Breach Notification. Colorado’s new data breach notification standards impose more stringent requirements on companies following a breach. First, companies must now begin conducting an investigation as soon as they become aware that a breach may have occurred, rather than when the existence of a breach is actually confirmed. Companies must notify impacted Colorado residents without unreasonable delay, and no later than thirty days after determining that the breach occurred. The law requires such notices to include specific information to assist consumers in protecting their sensitive data and mitigating any potential losses. Generally, companies will also be required to notify the Colorado Attorney General when state residents are implicated in a data breach.
Data Protection Standards. The new law requires that companies implement reasonable security procedures “appropriate to the nature of the personal identifying information and the nature and size of the business and its operation.” Notably, Colorado’s new bill also mandates that businesses processing personal information require that their third-party service providers implement and maintain security practices appropriate to the nature of the personal information disclosed.
Data Disposal Standards. Companies will now need to have written policies detailing their data destruction procedures. Those polices will need to require that the company dispose of or arrange for the destruction of paper and electronic documents when they are no longer needed. The new law requires that destruction occur through shredding, erasing, or otherwise modifying the information to make the personal information unreadable or indecipherable.
Criminal Penalties. Finally, the new regulation expands the sanctions available for violations. In addition to civil penalties, the law gives the Attorney General the authority to prosecute criminal violations of the section upon either a request from the governor or the approval of the district attorney in the appropriate judicial district.
This article is intended to provide general information and, therefore, should not be treated as legal advice. If you have questions about a specific legal issue, you should seek the advice of a qualified attorney.