Colorado Enacts New Data Security Law: Are You In Compliance?



n May 29, 2018 Governor Hickenlooper signed HB 1128 into law. The bill amends the state’s data breach notification law to require that affected Colorado residents be notified within 30 days of a data breach and specifies the information that must be included in the data breach notice. The new law, which became effective September 1, 2018, applies to “covered entities” (if your business maintains, owns or licenses information of Colorado residents, regardless of where the business or data is based, it is a “covered entity”). It also sets forth certain data security requirements and adds requirements regarding the disposal of personal identifying information.

Among other amendments to Colorado’s existing data breach notification law, the new law defines “personal information” as a combination of a Colorado resident’s first name or initial and last name along with one or more of

  • Social Security number;
  • student, military or passport identification number;
  • driver’s license number or identification card number;
  • medical information;
  • health insurance identification number; or
  • biometric data.

The definition of “personal information” also includes a Colorado resident’s (1) username or email address in combination with a password or security questions and answers that would enable access to an online account, and (2) account number or credit or debit card number in combination with any required security code, access code or password that would enable access to that account.

Colorado residents affected by the breach must be notified of the breach within 30 days, with no extensions allowed, and the Colorado attorney general must also be provided notice of the breach if over 500 residents are affected, or reasonably believed to have been affected, regardless of what other security breach procedures the entity might maintain.

The notice must contain specified information, including

  • the date or estimated date or estimated date range of the breach;
  • a description of the personal information breached or reasonably believed to have been breached;
  • the entity’s contact information;
  • the toll-free numbers, addresses and websites for consumer reporting agencies and the Federal Trade Commission (FTC); and
  • a statement that the Colorado resident can obtain information from the FTC and the credit reporting agencies regarding fraud alerts and security freezes.

If the breach involves a Colorado resident’s username or email address in combination with a password or security questions and answers that would enable access to an online account, the entity must also direct affected individuals to take appropriate steps to protect their online accounts.

Additional provisions of the bill require covered entities to ensure that third-party vendors protect personal information before it is shared with the vendor and to implement written policies governing secure document disposal.

The new law does not include exemptions for size or type of entity, and coverage extends to government agencies. The law authorizes the attorney general to bring an action to ensure compliance and/or recover damages, and authorized relief may include criminal charges. D


Danielle Urban is a Certified Information Privacy Professional (CIPP/E) and has a national practice representing a wide range of employers in a global marketplace. Danielle advises clients on national and international data security laws, data breaches, and privacy policies.