Colorado, ahead of California, bolsters state data breach notifications and requires more security of processing for Personal Information.
California is not the only state that wants to govern the data protection and security of its constituents. Colorado has also come out with a strong, bipartisan law that puts it on the map of GDPR-like state laws and Colorado is already in application.
On May 29, 2018, just days after the EU's General Data Protection Regulation ("GDPR") went into effect, the governor of Colorado signed into law HB 18-1128 (the "Bill") "concerning strengthening protections for consumer data privacy." The Bill took effect September 1, 2018, more than a year before California's law, which goes into effect January 1, 2020 and which has already been revised since passing in June 2018. The Colorado Legislature unanimously passed the Bill, signifying a bipartisan focus on data security and consumer protection. Though not truly centered on the precept of data privacy (i.e., the collection, use, and sharing of information), the Bill provides additional consumer protections before and after potential data breaches. The changes bolster the state's ability to protect the Personal Information of its residents but could place heavy burdens on small business not already compliant with other U.S. data security laws.
The Bill incorporates three central revisions into the Colorado Consumer Protection Act ("CCPA"): (1) a 30-day security breach notification period; (2) a requirement to develop data destruction policies; and (3) a requirement to maintain and implement "reasonable security procedures and practices" to safeguard sensitive Personal Information.
Applicability and Scope. The Bill establishes detailed investigation and notification requirements for all "covered entities," defined as persons or entities that maintain, own, or license Personal Information in the course of their business, vocation, or occupation ("Covered Entities"). These requirements also apply to government entities. The Bill tweaks and updates the existing Colorado law by applying it to new types of data (discussed below) and adds a requirement that the state attorney general be notified in the event of certain types of breaches.
Enforcement. The Colorado Attorney General may bring an action to address violations of the Bill's updated breach reporting, data disposal, and security requirements and may enforce compliance, recover damages resulting from a violation, or both. The Bill also gives district attorneys the authority to prosecute criminal violations amounting to computer crime. Although the new Bill provisions are part of Colorado's CCPA, which provides a private cause of action in connection with certain "deceptive trade practices," it is unclear whether violations of the Bill will give rise to private causes of action under the CCPA. If a violation is interpreted to be a deceptive trade practice subject to the CCPA, a successful plaintiff could possibly recover treble damages and reasonable attorneys' fees from a Covered Entity.
Requirements for Security Breach Notifications
Types of Protected Data: "Personal information" is now defined as a resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident (when those data elements are not encrypted, redacted, or otherwise secured): medical information; health insurance identification number; biometric data; social security number; student, military, or passport identification number; or driver's license number or identification card. "Personal information" also includes a resident's username or email address, in combination with a password or security questions and answers that would permit access to an online account or a resident's account number, and a credit or debit card number in combination with an access code or password that would permit access to that account.
Notification Requirement: Additionally, businesses reporting a data breach affecting residents must notify the affected residents and, if more than 500 Colorado residents are affected, the state's Attorney General not later than 30 days after the date of determination that a security breach occurred. While this time period is certainly amongst the shortest in the nation, Colorado is not the first state to codify a 30-day requirement (e.g., Florida), nor is this the shortest time period by which breach notifications must be made. For example, Puerto Rico requires government notification within ten days, and the EU requires certain notifications within 72 hours if there is a significant risk to individuals. If more than 1,000 Colorado residents are affected by a data breach, the Covered Entity must also notify all consumer reporting agencies.
Requirements for Data Disposal and Security Policies
The Bill obligates Covered Entities to create a written policy for the destruction or proper disposal of paper and electronic documents containing Personal Information, requiring the destruction of those documents when they are "no longer needed." The Bill also requires that Covered Entities implement reasonable and appropriate security procedures and practices regarding Personal Information to prevent data breaches. These policy requirements apply to a more limited set of data than do the breach notification provisions. Unlike the breach notification requirements described above, the data disposal and security procedure requirements do not apply to medical information or health insurance identification numbers, already regulated under other statutes. Certain states' legislation contains far more detailed proscriptive steps than Colorado in terms of what specific measures must be taken when securing sensitive information (e.g., Massachusetts).
Importantly, a Covered Entity regulated by state or federal law that already maintains procedures for data disposal and security procedures is deemed to be in compliance with the Bill's provisions. For those companies, the Bill does not signal a radical change in compliance as does the GDPR, or as the California Consumer Privacy Protection Act. However, smaller companies without these established procedures must now shoulder the burden of the time and resources necessary to become compliant.
To ensure compliance with the Colorado law effective September 1, 2018, U.S. companies should review, and if necessary, revise security policies and procedures affecting Personal Information of Colorado residents and memorialize, internally, the data breach notification deadlines. The state's Attorney General's office has stated publicly that it assumes that it will take time for all Covered Entities to become compliant, but that businesses will be working hard to that end.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 700 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology, and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.