Colorado’s governor recently signed into law House Bill 18-1128. It is effective September 1, 2018 and sets forth information security requirements for businesses and third-party service providers, amends the state’s data breach notification statute and expands the definition of “personal information.”
“Covered entities” are subject to the law. Generally speaking, a “covered entity” is “a person, [as defined in section 6-1-102(6]), that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation.” A “person” is defined by C.R.S. § 6-1-102(6) as “an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or two or more thereof having a joint or common interest, or any other legal or commercial entity.” The law also creates comparable statutory requirements for governmental entities.
Third-party service providers are not included in the definitions of “covered entity” and “governmental entity.” Rather, they are defined as “any entity that has been contracted to maintain, store or process personal information on behalf of” a covered entity or governmental entity.
Information Security
Covered entities must implement and maintain reasonable security measures to protect documents containing personal identifying information. “A covered entity that maintains, owns, or licenses personal identifying information of an individual residing in the state shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”
“Personal identifying information” is defined as: social security number; personal identification number; password; pass code; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device.
Contractual Requirements
Those subject to the law must ensure that protections are implemented whenever personal identifying information is transferred to third-party service providers that have been contracted to “maintain, store, or process personal information on behalf of a covered entity.”
In pertinent part:
“Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices that are: (a) appropriate to the nature of the personal identifying information disclosed to the third-party service provider; and (b) reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.”
There is an exception where a covered entity retains security responsibility and implements controls to protect personal identifying information from unauthorized disclosure or to eliminate a third-party’s access:
In pertinent part:
“. . . disclosure of personal identifying information does not include disclosure of information to a third- party under circumstances where the covered entity retains primary responsibility for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal identifying information and the covered entity implements and maintains technical controls that are reasonably designed to: (a) help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction; or (b) effectively eliminate the third-party’s ability to access the personal identifying information, notwithstanding the third-party’s physical possession of the personal identifying information.”
In short, a covered entity that discloses information to a third-party service provider must require the service provider to implement and maintain reasonable security procedures and practices , or provide its own protection for disclosed information.
Document Disposal
Covered entities must also implement a written disposal policy for documents that contain personal identifying information, including electronic documents. The written policy must require that, when such paper or electronic documents are no longer needed, the covered entity shall destroy or arrange for the destruction of such documents by shredding, erasing, or otherwise modifying personal identifying information so as to render it indecipherable. A limited, narrow exception to this requirement may exist if there is contrary federal or state law pertaining to disposal of personal identifying information.
Data Breach Notification
Colorado’s data breach notification statute now possesses the shortest time frame in the United States – thirty days after a determination that a security breach has occurred to provide notice. The definition of “personal information” has been expanded.
In the event of an online account breach, in addition to standard notice, persons must be directed to promptly change passwords, and security questions and answers. Additional steps, as appropriate, must also be taken.
Takeaway: Portions of Colorado’s beefed-up cybersecurity legislation have been borrowed from the GDPR. Covered entities should develop a written information security program that contains robust safeguards; implement a written document retention and disposal policy; critically assess: (a) third-parties to whom personal identifying information is transferred; (b) how personal identifying information is transferred to third-parties; (c) third-party security practices; and (d) ensure contract language satisfies statutory requirements. Consult with experienced an attorney experienced in privacy and data security compliance matters to implement an incident response plan, and negotiate and draft third-party contracts that effectively minimize risk. It is anticipated that the law will be aggressively enforced by the Colorado Attorney General.
Contact an FTC defense lawyer to discuss emerging privacy and data security law compliance requirements that impact the digital marketing community. Visit the author’s website here.
Richard B. Newman is a regulatory litigation, investigations and compliance attorney at Hinch Newman LLP focusing on advertising and digital media matters. Follow him on LinkedIn.
ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.