Almost all U.S. states have laws about data security and what to do when there’s a data breach. Here is the Colorado law, which is codified at C.R.S. § 6-1-716,
Who the law applies to. An individual or commercial entity (whether for profit or non-profit) who conducts business in Colorado and who owns or licenses computerized data which includes personal information about a Colorado resident.
“Personal information” means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:
- social security number,
- driver’s license number or identification card number, or
- account number or credit or debit card number, in combination with any required security or access code or password that would permit access to a resident’s financial account.
Notably, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
When does a breach occur? A breach occurs when there is an unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality or integrity of personal information of a Colorado resident maintained by an individual or commercial entity.
Requirements after a breach. After an individual or commercial entity becomes aware of a breach, they must first conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. Unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur, the individual or commercial entity must notify as soon as the possible each Colorado resident whose information was compromised.
If the individual or commercial entity does not own or license the compromised personal information, then they must give notice to and cooperate with the owner or licensee of the information of any breach immediately following discovery of a breach.
Requirements for notification.
Who to notify. The affected Colorado residents, and if notification of more than 1,000 Colorado residents is required, all consumer credit reporting agencies that compile files on consumers on a nationwide basis must be notified without unreasonable delay.
How to notify. Notice may be provided by any of the following methods:
- written notice to the postal address listed in the records of the individual or commercial entity;
- telephonic notice;
- electronic notice; or
- substitute notice, which consists of e-mail notice if the individual or commercial entity has an e-mail address and, if not, conspicuous posting of the notice on the website page of the individual or the commercial entity and notification to major statewide media, if the individual or commercial entity demonstrates the cost of providing notice will exceed $250,000, the affected class of persons exceeds 250,000 Colorado residents, or the individual or commercial entity does not have sufficient contact information to provide notice.
When to notify. Notice shall be made in the most expedient time possible and without unreasonable delay, “consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.”
Non-compliance. The Colorado Attorney General may bring an action in law or equity to address violations of the data breach law and for other relief that may be appropriate to ensure compliance or to recover direct economic damages resulting from a violation. However, private causes of action may be available in the event of a data breach.
Other federal and state laws. An individual or a commercial entity that is regulated by state or federal law and maintains procedures for a data breach pursuant to the laws, rules regulations, guidance, or guidelines established by its state or federal regulator will be deemed to be in compliance with this section.