Security Breach Notification Law in the State of Colorado
Colo. Rev. Stat. § 6-1-716 is a data breach notification law that was initially passed in the U.S. state of Colorado in 2006. To this point, the law was recently amended in 2018 to provide residents of Colorado with an enhanced level of protection as it concerns the consequences of being involved in a data or security breach. With this being said, Colo. Rev. Stat. § 6-1-716, in accordance with the recently passed Colorado Privacy Act, represents the two foremost legal guidelines for data and privacy protection within Colorado. Moreover, Colo. Rev. Stat. § 6-1-716 also provides the Colorado attorney general with the authority to impose punishments against businesses and organizations within the state that fail to comply with the law.
How is a security breach defined under Colo. Rev. Stat. § 6-1-716?
Under Colo. Rev. Stat. § 6-1-716, a security breach is defined as “an unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PI maintained by an Entity.” Alternatively, the “good-faith acquisition of PI by an employee or agent of an Entity for the purposes of the Entity is not a breach of the security of the system if the PI is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.” Additionally, in terms of the scope and applicability of the law, Colo. Rev. Stat. § 6-1-716 is applicable to “any individual or commercial entity (collectively, Entity) that conducts business in CO and that owns, licenses, or maintains computerized data that includes PI.”
What are the security breach notification requirements under Colo. Rev. Stat. § 6-1-716?
Under Colo. Rev. Stat. § 6-1-716, a business entity within the state of Colorado is required to provide written, telephonic, or electronic notification to all affected individuals, as well as the Colorado attorney general and the three major credit reporting agencies within the U.S., albeit under certain circumstances. Subsequently, these security breach notifications must contain the following information:
- The actual date, estimated date, or estimated range of dates upon which the security breach took place.
- The types of personal information that were subject to unauthorized disclosure.
- Contact information that affected individuals can use to further inquire about the security breach.
- The addresses, websites, and toll-free numbers of the three major credit reporting agencies within the U.S., as well as the Federal Trade Commission.
- A statement detailing the means by which affected individuals can obtain further information from the three major credit reporting agencies in the U.S. and the Federal Trade Commission as it relates to fraud alerts and security freezes.
- “For a breach of online account credentials, in addition to the information above, the notice must direct the consumer to promptly change his or her password or question and answer, or to take other steps appropriate to protect the online account with the covered Entity and all other online accounts for which the person whose PI has been breached uses the same username or e-mail address and password or security question or answer.”
What types of personal information are protected under Colo. Rev. Stat. § 6-1-716?
In accordance with the provisions established by Colo. Rev. Stat. § 6-1-716, the following data elements are legally covered in the event that a security breach occurs, in combination with a Colorado resident’s first name or first initial or last name, in instances where the information has not been redacted, or otherwise rendered unreadable or unusable through another means such as encryption:
- Social security numbers.
- Student, military, and passport identification numbers.
- Driver’s license numbers and other forms of identification card numbers.
- Biometric data.
- Health insurance identification numbers.
- Medical information.
- Usernames and email addresses, in combination with any passwords or security questions that could be used to permit access to a Colorado resident’s online account.
- Financial account numbers and credit and debit card numbers, in combination with any passwords, security codes, or access codes that could be used to permit access to a Colorado resident’s financial account.
In terms of the enforcement of the law, the provisions set forth in Colo. Rev. Stat. § 6-1-716 are enforceable by the Colorado attorney general. As such, the Colorado attorney general has the authority to impose numerous penalties and legal actions against entities and individuals that are found to be in violation of the law. More specifically, “violations may result in civil penalties, as determined by the Attorney General who has the authority to bring actions in law or equity in response to violations, or for any other appropriate relief that can aid in ensuring compliance or recovering economic damages suffered as a direct result of the violation.”
How can businesses protect themselves from the adverse consequences of data breaches?
While data breaches have become an inevitable reality in the midst of the current internet age, there are steps and measures that businesses can take to avoid compromising the personal information of American consumers. One such method is through redaction, as businesses can utilize automatic redaction software programs to ensure that they are protecting the personal data that is in their possession at all times. Furthermore, as these programs allow users to automatically redact information in a wide range of categories, including social security numbers, medical information, and email addresses and usernames, among others, businesses can also save time and resources that can instead be allocated to other pursuits. More importantly, however, businesses can maintain compliance with all applicable legislation by ensuring that personal data is protected from unauthorized access.
When compared with many other U.S. states, the privacy and data protection landscape within Colorado is particularly robust, as there are various legal requirements that businesses within the state are responsible for following when collecting the personal information of residents within the state. Through the enactment of both Colo. Rev. Stat. § 6-1-716 and the Colorado Privacy Act, residents of the state have numerous rights and freedoms as it concerns the collection, processing, use, and disclosure of their personal data. To this end, as it pertains to security breaches, Colo. Rev. Stat. § 6-1-716 ensures that the Colorado residents can mitigate the potential consequences of being involved in such an incident, whether it be in the form of identity theft or the loss of funds.
