The classic refrigerator clean-out rule, “When in doubt, throw it out” could be a tagline for Colorado’s recent amendment to its data security and breach notification laws, HB 18-1128. As a policy, if you don’t need personal identifying information (“PII”), it should be properly disposed of or destroyed. If you are going to keep PII, some of the most stringent security requirements in the United States now apply in Colorado, effective September 1, 2018. As part of our blog series for National Cybersecurity Awareness Month, we summarize below the most notable aspects of the amendment, including new disposal program requirements for PII, data security requirements, and a 30-day breach notification obligation. Even if you had a data disposal policy and program in place before the recent Colorado amendment, now is a great time to review the quantity and type of data you continue to hold, the security procedures you have in place, and the effectiveness of your incident response plan.
Disposal of PII
The amendment updates Colorado law to require entities in the state that maintain paper or electronic documents during the course of business containing PII to develop a written policy for the destruction or proper disposal of those paper and electronic documents. The written policy must require the entity to destroy or arrange for the destruction of such papers and electronic documents within its custody or control when such paper or electronic documents are no longer needed “by shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.”
For the purposes of this requirement, PII means a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; or a financial transaction device.
Protection of PII
The entity must also protect PII from unauthorized access, use, modification, disclosure, or destruction by implementing and maintaining “reasonable” security procedures and practices that are appropriate to the nature of the PII and the nature and size of the business and its operations. When the entity discloses PII to third-party service providers to maintain, store, or process the PII on its behalf, it must generally also contractually impose these requirements on the vendor.
Notification and Disclosure of Security Breach
Finally, the law amends Colorado’s breach notification statute. Under the amended law, “personal information,” i.e. the data that is subject to potential breach notification requirements, consists of:
(A) A Colorado resident’s first name or first initial and last name in combination with any one or more of the following (when data elements that relate to the resident are not encrypted, redacted, or secured by any other method rendering the name or data element unreadable or unusable):
1 – Social Security number;
2 – student, military, or passport identification number;
3 – driver’s license number or identification card number;
4 – medical information;
5 – health insurance identification number; or
6 – biometric data.
(B) A Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; or
(C) A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
In the event of a security breach involving personal information, the entity must give notice to affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. If notice is required, the entity must provide it within 30 days after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. The amended breach notification statute also includes new requirements for the content of any breach notification.
If the security breach is reasonably believed to have affected 500 or more Colorado residents, the entity must also notify the Colorado Attorney General within 30 days.