Preparing for Colorado’s New Expansive Data Privacy Law

A new Colorado law taking effect in September will provide individuals with enhanced data protection rights and impose the nation’s shortest window for reporting data breaches to law enforcement officials. Colorado HB18-1128, known as Protections for Consumer Data Privacy, also expands the type of information that must be protected and extends protection requirements to third parties that process or hold information on behalf of others.

Here’s what you need to know about the new law and its insurance and risk implications:

A Small Notification Window

HB18-1128’s most notable change is to Colorado’s breach notification requirements. Under existing state law, businesses must notify persons affected by a data breach “in the most expedient time possible and without unreasonable delay.” Under HB18-1128, covered entities must now notify affected persons within 30 days of confirmation of a data breach, the smallest window in the country.

The new law also requires businesses to notify Colorado’s attorney general when a breach affects 500 or more persons, and consumer reporting agencies when a breach affects 1,000 or more. When conflicting notification periods apply —the federal Health Insurance Portability and Accountability Act, for example, permits notification within 60 days — the shortest period will prevail.

Safeguarding Information

Entities covered under Colorado’s new law — including those that own, maintain, or license personal information — are required to implement and maintain reasonable practices and procedures to safeguard information against unauthorized access, use, and disclosure. Third parties that maintain, store, or process data on behalf of covered entities also fall under the law, which applies to all entities doing business in Colorado — even those without a physical presence in the state.

Broader Definition of “Personal Information”

HB18-1128 also expands the definition of “personal information.” Under Colorado’s existing law, personal information includes social security numbers; driver’s license or other state identification numbers; and account, credit card, or debit card numbers in combination with security codes, access codes, or passwords. Under the new law, personal information also includes:

• Student, military, or passport identification number.
• Medical information.
• Health insurance identification numbers. 
• Biometric data.
• Usernames and emails in combination with passwords or security questions and answers.

Managing Risk

The new law could increase both the frequency and severity of claims against cyber insurance policies, which should respond. But organizations that do business in Colorado should review their existing programs carefully. Specifically, they should look at any sublimits for regulatory actions that may exist in current policies and consider reevaluating overall policy limits.

Beyond insurance, businesses that could be affected by the law should also review information security policies and procedures and third-party service contracts, especially those with specific provisions related to data protection. It’s important that all parties understand where contractual responsibility for protecting data sits — and if you rely on third parties to process or maintain data on your behalf, make sure their policies are as rigorous as your own.