Title 24
ARTICLE 73
Security Breaches and Personal Information
24-73-101. Governmental entity – disposal of personal identifying information – policy – definitions.
(1) Each governmental entity in the state that maintains paper or electronic documents during the course of business that contain personal identifying information shall develop a written policy for the destruction or proper disposal of those paper and electronic documents containing personal identifying information. Unless otherwise required by state or federal law or regulation, the written policy must require that, when such paper or electronic documents are no longer needed, the governmental entity destroy or arrange for the destruction of such paper and electronic documents within its custody or control that contain personal identifying information by shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.
(2) A governmental entity that is regulated by state or federal law and that maintains procedures for disposal of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section.
(3) Unless a governmental entity specifically contracts with a recycler or disposal firm for destruction of documents that contain personal identifying information, nothing in this section requires a recycler or disposal firm to verify that the documents contained in the products it receives for disposal or recycling have been properly destroyed or disposed of as required by this section.
(4) For the purposes of this section and section 24-73-102, unless the context otherwise requires:
(a) “Governmental entity” means the state and any state agency or institution, including the judicial department, county, city and county, incorporated city or town, school district, special improvement district, authority, and every other kind of district, instrumentality, or political subdivision of the state organized pursuant to law. “Governmental entity” includes entities governed by home rule charters. “Governmental entity” does not include an entity acting as a third-party service provider as defined in section 24-73-102.
(b) “Personal identifying information” means a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data, as defined in section 24-73-103 (1)(a); an employer, student, or military identification number; or a financial transaction device, as defined in section 18-5-701 (3).
24-73-102. Governmental entity – protection of personal identifying information – definition.
(1) To protect personal identifying information, as defined in section 24-73-101 (4)(b), from unauthorized access, use, modification, disclosure, or destruction, a governmental entity that maintains, owns, or licenses personal identifying information shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the governmental entity.
(2) Unless a governmental entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the governmental entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices that are:
(a) Appropriate to the nature of the personal identifying information disclosed to the third-party service provider; and
(b) Reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.
(3) For the purposes of subsection (2) of this section, a disclosure of personal identifying information does not include disclosure of information to a third party under circumstances where the governmental entity retains primary responsibility for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal identifying information and the governmental entity implements and maintains technical controls reasonably designed to:
(a) Help protect the personal identifying information from unauthorized access, modification, disclosure, or destruction; or
(b) Effectively eliminate the third party’s ability to access the personal identifying information, notwithstanding the third party’s physical possession of the personal identifying information.
(4) A governmental entity that is regulated by state or federal law and that maintains procedures for storage of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section.
(5) For the purposes of this section, “third-party service provider” means an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a governmental entity.
24-73-103. Governmental entity – notification of security breach.
(1) Definitions. As used in this section, unless the context otherwise requires:
(a) “Biometric data” means unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account.
(b) “Determination that a security breach occurred” means the point in time at which there is sufficient evidence to conclude that a security breach has taken place.
(c) “Encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.
(d) “Governmental entity” means the state and any state agency or institution, including the judicial department, county, city and county, incorporated city or town, school district, special improvement district, authority, and every other kind of district, instrumentality, or political subdivision of the state organized pursuant to law. “Governmental entity” includes entities governed by home rule charters. “Governmental entity” does not include an entity acting as a third-party service provider as defined in subsection (1)(I) of this section.
(e) “Medical information” means any information about a consumer’s medical or mental health treatment or diagnosis by a health care professional.
(f) “Notice” means:
(I) Written notice to the postal address listed in the records of the governmental entity;
(II) Telephonic notice;
(III) Electronic notice, if a primary means of communication by the governmental entity with a Colorado resident is by electronic means or the notice provided is consistent with the provisions regarding electronic records and signatures set forth in the federal “Electronic Signatures in Global and National Commerce Act”, 15 U.S.C. Sec. 7001 et seq.; or
(IV) Substitute notice, if the governmental entity required to provide notice demonstrates that the cost of providing notice will exceed two hundred fifty thousand dollars, the affected class of persons to be notified exceeds two hundred fifty thousand Colorado residents, or the governmental entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:
(a) E-mail notice if the governmental entity has e-mail addresses for the members of the affected class of Colorado residents;
(b) Conspicuous posting of the notice on the website page of the governmental entity if the governmental entity maintains one; and
(c) Notification to major statewide media.
(g) (I) (a) “Personal information” means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; driver’s license number or identification card number; student, military, or passport identification number; medical information; health insurance identification number; or biometric data, as defined in subsection (1)(a) of this section;
(b) A Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; or
(c) A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
(II) “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
(h) “Security breach” means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a governmental entity. Good faith acquisition of personal information by an employee or agent of a governmental entity for the purposes of the governmental entity is not a security breach if the personal information is not used for a purpose unrelated to the lawful government purpose or is not subject to further unauthorized disclosure.
(i) “Third-party service provider” means an entity that has been contracted to maintain, store, or process personal information on behalf of a governmental entity.
(2) Disclosure of breach.
(a) A governmental entity that maintains, owns, or licenses computerized data that includes personal information about a resident of Colorado shall, when it becomes aware that a security breach may have occurred, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The governmental entity shall give notice to the affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. Notice must be made in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
(b) In the case of a breach of personal information, notice required by this subsection (2) to affected Colorado residents must include, but need not be limited to, the following information:
(I) The date, estimated date, or estimated date range of the security breach;
(II) A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach;
(III) Information that the resident can use to contact the governmental entity to inquire about the security breach;
(IV) The toll-free numbers, addresses, and websites for consumer reporting agencies;
(V) The toll-free number, address, and website for the federal trade commission; and
(VI) A statement that the resident can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes.
(c) If an investigation by the governmental entity pursuant to subsection (2)(a) of this section determines that the type of personal information described in subsection (1)(g)(I)(b) of this section has been misused or is reasonably likely to be misused, then the governmental entity shall, in addition to the notice
Otherwise required by subsection (2)(b) of this section and in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system:
(I) Direct the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the person or business and all other online accounts for which the person whose personal information has been breached uses the same username or e-mail address and password or security question or answer.
(II) For log-in credentials of an e-mail account furnished by the governmental entity, the governmental entity shall not comply with this section by providing the security breach notification to that e-mail address, but may instead comply with this section by providing notice through other methods, as defined in subsection (1)(f) of this section, or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an internet protocol address or online location from which the governmental entity knows the resident customarily accesses the account.
(d) The breach of encrypted or otherwise secured personal information must be disclosed in accordance with this section if the confidential process, encryption key, or other means to decipher the secured information was also acquired in the security breach or was reasonably believed to have been acquired.
(e) A governmental entity that is required to provide notice pursuant to this subsection (2) is prohibited from charging the cost of providing such notice to individuals.
(f) Nothing in this subsection (2) prohibits the notice described in this subsection (2) from containing additional information, including any information that may be required by state or federal law.
(g) If a governmental entity uses a third-party service provider to maintain computerized data that includes personal information, then the third-party service provider shall give notice to and cooperate with the governmental entity in the event of a security breach that compromises such computerized data, including notifying the governmental entity of any security breach in the most expedient time and without unreasonable delay following discovery of a security breach, if misuse of personal information about a Colorado resident occurred or is likely to occur. Cooperation includes sharing with the covered entity information relevant to the security breach; except that such cooperation does not require the disclosure of confidential business information or trade secrets.
(h) Notice required by this section may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and the law enforcement agency has notified the governmental entity that operates in Colorado not to send notice required by this section. Notice required by this section must be made in good faith, in the most expedient time possible and without unreasonable delay, but not later than thirty days after the law enforcement agency determines that notification will no longer impede the investigation, and has notified the governmental entity that it is appropriate to send the notice required by this section.
(I) If a governmental entity is required to notify more than one thousand Colorado residents of a security breach pursuant to this section, the governmental entity shall also notify, in the most expedient time possible and without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by the federal “Fair Credit Reporting Act”, 15 U.S.C. Sec. 1681a (p), of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. Nothing in this subsection (2)(i) requires the governmental entity to provide to the consumer reporting agency the names or other personal information of security breach notice recipients. This subsection (2)(i) does not apply to a person who is subject to title v of the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. Sec. 6801 et seq.
(j) A waiver of these notification rights or responsibilities is void as against public policy.
(k) (I) the governmental entity that must notify Colorado residents of a data breach pursuant to this section shall provide notice of any security breach to the Colorado attorney general in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred, if the security breach is reasonably believed to have affected five hundred Colorado residents or more, unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not likely to occur.
(II) The Colorado attorney general shall designate a person or persons as a point of contact for functions set forth in this subsection (2)(k) and shall make the contact information for that person or those persons public on the attorney general’s website and by any other appropriate means.
(1) The breach of encrypted or otherwise secured personal information must be disclosed in accordance with this section if the confidential process, encryption key, or other means to decipher the secured information was also acquired or was reasonably believed to have been acquired in the security breach.
(3) Procedures deemed in compliance with notice requirements.
(a) Pursuant to this section, a governmental entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information and whose procedures are otherwise consistent with the timing requirements of this section is in compliance with the notice requirements of this section if the governmental entity notifies affected Colorado residents in accordance with its policies in the event of a security breach; except that notice to the attorney general is still required pursuant to subsection (2)(k) of this section.
(b) A governmental entity that is regulated by state or federal law and that maintains procedures for a security breach pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section; except that notice to the attorney general is still required pursuant to subsection (2)(k) of this section. In the case of a conflict between the time period for notice to individuals, the law or regulation with the shortest notice period controls.
(4) Violations. The attorney general may bring an action for injunctive relief to enforce the provisions of this section.
(5) Attorney general criminal authority. Upon receipt of notice pursuant to subsection (2) of this section, and with either a request from the governor to prosecute a particular case or with the approval of the district attorney with jurisdiction to prosecute cases in the judicial district where a case could be brought, the attorney general has the authority to prosecute any criminal violations of section 18-5.5-102.