During the 2018 legislative session, Colorado lawmakers passed a new law aimed at strengthening protections for consumer data privacy. This new consumer protection law has broad application, and impacts every company with employees, or more specifically, every person that maintains, owns, or licenses “personal identifying information” in the course of the person’s business, vocation, or occupation. If your company has employees, or otherwise maintains personal identifying information, the law requires you to take active steps to help protect that information through the implementation of a mandatory written policy and security procedures, and compliance with new notification requirements.

Destruction and Proper Disposal of Personal Identifying Information

First, and most importantly, as of September 1, 2018, the new law requires businesses that maintain paper or electronic documents containing “personal identifying information” to have in place a written policy for the destruction and proper disposal of those documents. “Personal identifying information” includes a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or a “financial transaction device”, including a credit card, banking card, or debit card. The written policy must require that, when documents containing personal identifying information are no longer needed, they must be destroyed by shredding, erasing, or otherwise modifying the personal identifying information to make the information unreadable or indecipherable through any means.

Reasonable Security Procedures

In addition, businesses that maintain personal identifying information must implement reasonable security procedures that are appropriate to the nature of the personal identifying information and the nature and size of the business. While the law does not define what constitutes “appropriate security procedures”, such procedures must be designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.

Notification Requirements in the Event of a Security Breach

Finally, if a business becomes aware that a security breach of computerized data involving “personal information” may have occurred, the business must conduct a prompt investigation to determine the likelihood that personal information has been or will be misused. If misuse of the personal information has occurred or is likely to occur, the business must provide notice to the affected individuals within 30 days of the security breach, and depending on the scope of the security breach, may also be required to notify the Colorado Attorney General and consumer reporting agencies. “Personal information” is defined differently than “personal identifying information”, which is discussed above. “Personal information” means:

(i) A Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident: social security number; driver’s license number or identification card number; student, military, or passport identification number; medical information; health insurance identification number; or biometric data;

(ii) A Colorado resident’s username or email address, in combination with a password or security questions and answers, that would permit access to an online account; or,

(iii) A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.

Personal information does not include any publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

For more information or for help to bring your business into compliance with the requirements imposed by this new law, contact your Ireland Stapleton attorney.

What is written here is intended as general information and is not to be construed as legal advice. If legal advice is needed, you should consult an attorney.