COLORADO HB PROTECTIONS FOR CONSUMER DATA PRIVACY

Similar documents
1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

STATE DATA SECURITY BREACH LEGISLATION SURVEY

Security Breach Notification Chart

Security Breach Notification Chart

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

Security Breach Notification Chart

Security Breach Notification Chart

State Data Breach Notification Laws

STATE DATA SECURITY BREACH NOTIFICATION LAWS

Security Breach Notification Chart

STATE DATA SECURITY BREACH NOTIFICATION LAWS

State Data Breach Notification Laws

State Data Breach Law Summary. November 2017

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

KANSAS IDENTITY THEFT RANKING BY STATE: Rank 29, 61.0 Complaints Per 100,000 Population, 1694 Complaints (2007) Updated December 15, 2008

State Data Breach Notification Laws

STATE DATA SECURITY BREACH NOTIFICATION LAWS

State Data Breach Laws

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

Limited Data Set Data Use Agreement

OKLAHOMA IDENTITY THEFT RANKING BY STATE: Rank 25, 63.9 Complaints Per 100,000 Population, 2312 Complaints (2007) Updated January 10, 2009

Data Breach Charts. November 2017

Model Business Associate Agreement

SERVICE PROVIDER SECURITY AGREEMENT. Clemson University ( Clemson ) and. Vendor Name Here. ( Service Provider )

Nestlé Canada Inc. Privacy Policies and Practices April 13, 2012

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

GUIDELINES FOR THE USE OF ELECTORAL PRODUCTS

(No. 97) (Approved June 19, 2008) AN ACT

OFFICE OF TEMPORARY AND DISABILITY ASSISTANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-78 OFFICE OF THE NEW YORK STATE COMPTROLLER

ACCESS AND PRIVACY POLICY

Port Glasgow St Andrew s Data Protection Policy

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Data Protection Policy

Security Video Surveillance Policy

The Lawyer s Ethical and Legal Duties to protect Private Information

Georgia Computer System Protection Act

DATA MATCHING AGREEMENTS ACT 1 B I L L

Cumulative Identity Theft Statutes Updated as of July 26, 2011

Condominium Management Regulatory Authority of Ontario Access and Privacy Policy

HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

Arent Fox LLP Survey of Data Breach Notification Statutes

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

PHYSICAL RECORDS DISPOSITION PROCEDURE

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

Breach Notification and Enforcement

GUIDELINE FOR PROTECTION OF PERSONAL INFORMATION

TEXAS DEPARTMENT OF PUBLIC SAFETY 5805 NORTH LAMAR BOULEVARD POST OFFICE BOX 4087, AUSTIN, TX /

COMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.

2013 New Law Workbook

Selected Federal Data Security Breach Legislation

State By State Survey:

YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT CLICK ON THE BUY NOW->>

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

THE SURVEILLANCE AND COMMUNITY SAFETY ORDINANCE

COLLEGE OF VETERINARIANS OF BRITISH COLUMBIA

DATA USE AGREEMENT RECITALS

Access to Information and Protection of Privacy Act

CHAPTER Committee Substitute for Committee Substitute for Senate Bill No. 2700

Coordinated text from 10 August 2011 Version applicable from 1 September 2011

2014 SASKATCHEWAN EMPLOYMENT 2014 CHAPTER 27. An Act to amend The Saskatchewan Employment Act and to repeal The Public Service Essential Services Act

[To be published in THE GAZETTE OF INDIA, EXTRAORDINARY, Part II, Section 3, Sub-section (i) of dated the , 2011]

NO. 14 The Plaintiff, State of Washington, by and through its attorneys Robert W. Ferguson,

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

Translation from Finnish Legally binding only in Finnish and Swedish Ministry of the Interior, Finland

ACTION: Update and amend OPM/ GOVT 5, Recruiting, Examining, and Placement Records.

IN THE SUPERIOR COURT OF THE STATE OF CALIFORNIA IN AND FOR THE COUNTY OF SAN FRANCISCO. Unlimited Jurisdiction

INVESTIGATION REPORT

B I L L. No. 30 An Act to amend The Freedom of Information and Protection of Privacy Act

House of Representatives

DATA BREACH CLAIMS IN THE US: An Overview of First Party Breach Requirements

Document Retention and Archival Policy

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

ACCESS TO INFORMATION AND PROTECTION OF PRIVACY ACT. ACCESS TO INFORMATION AND PROTECTION OF PRIVACY REGULATIONS R In force December 31, 1996

DBS Disclosure and Barring Service Policy

Student/Queensland Health Terms of Agreement Information for Students

Access to Personal Information Procedure

Commonwealth of Massachusetts County of Suffolk The Superior Court NOTICE OF DOCKET ENTRY

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

HOME GARDEN COMMUNITY SERVICES DISTRICT AND HOME GARDEN COALITION

Arent Fox LLP Survey of Data Breach Notification Statutes

The Freedom of Information (Jersey) Law, 2011

House Bill 3521 Ordered by the House June 24 Including House Amendments dated May 24 and June 24

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

Privacy International's comments on the Brazil draft law on processing of personal data to protect the personality and dignity of natural persons

Definitions The following terms have these meanings in this Policy: a. Act Personal Information Protection and Electronic Documents Act;

Investigating Privacy Breaches under HITECH and HIPAA

Data Protection Act 1998 Policy

Processor Agreement SURF Model Agreement

COMMONWEALTH OF DOMINICA

AS TABLED IN THE HOUSE OF ASSEMBLY

CCTV CODE OF PRACTICE

ANTI MONEY LAUNDERING ACT, 1996 (Act 8 of 1996)

European College of Business and Management Data Protection Policy

78th OREGON LEGISLATIVE ASSEMBLY Regular Session. House Bill 2059

Transcription:

COLORADO HB 18-1128 PROTECTIONS FOR CONSUMER DATA PRIVACY 6-1-713, 713.5, 716, 24-73-101-103 Guy Mason (NOT AN ATTORNEY) Mile High ARMA June Meeting June 19, 2018

WHO? Prime Sponsors Rep. Coel Wist, Rep. Jeff Bridges, Sen. Kent Lambert, Sen. Lois Court Passed unanimously Covered Entities Person that maintains, owns, or licenses Personal Identifying Information in the course of the person s business, vocation, or occupation Governmental Entities Colorado Residents

WHAT? Privacy Protection Policies Definitions Destruction Requirements Security Procedures Breach Notification Fines

WHEN? Governor Hickenlooper Signed May 29, 2018 Takes Effect September 1, 2018

Colorado WHERE?

PRIVACY PROTECTION PII What has to be destroyed after no longer needed PI Requires breach notification if disclosed

POLICIES Written Policy for the Destruction or Proper Disposal of Paper And Electronic Documents Containing Personal Identifying Information Safeguards for protection

PII DEFINITION Personally Identifiable Information (PII) Social Security Number Personal Identification Number Password Passcode Official State or Government-Issued Driver s License or Identification Card Number Government Passport Number Biometric Data (Unique Data from measurements of human body characteristics for identification purposes) Employer, Student, or Military Identification Number Financial Transaction Device (Credit Card / Bank Card / Account Number)

PI DEFINITION Personal Information (PI) First Name or First Initial and Last Name Social Security Number Student, Military, Passport ID Driver s License or Identification Card Number Medical Information Health Insurance Identification Number Biometric Data Username or E-mail Address Password, Security Questions and Answers Account Number or Credit / Debit Card Number Security Code, Access Code, Password Does not include publicly available information

BREACH NOTIFICATION Breaches incidents can involve paper or electronic formats After becoming aware that a security breach may have occurred Affecting 500 Colorado Residents Conduct Investigation (misuse of information likely to occur) Notify within 30 days (unless it will impede criminal investigation) Attorney General Affected residents Covered Entity by Third Party Service Provider (unless it will impede criminal investigation) Consumer Reporting Agencies (1000+ Colorado Residents) Many requirements and specifications for Third Parties and Notification

DESTRUCTION REQUIREMENTS WHEN SUCH PAPER OR ELECTRONIC DOCUMENTS ARE NO LONGER NEEDED, THE COVERED ENTITY SHALL DESTROY OR ARRANGE FOR THE DESTRUCTION OF SUCH PAPER AND ELECTRONIC DOCUMENTS WITHIN ITS CUSTODY OR CONTROL THAT CONTAIN PERSONAL IDENTIFYING INFORMATION BY SHREDDING, ERASING, OR OTHERWISE MODIFYING THE PERSONAL IDENTIFYING INFORMATION IN THE PAPER OR ELECTRONIC DOCUMENTS TO MAKE THE PERSONAL IDENTIFYING INFORMATION UNREADABLE OR INDECIPHERABLE THROUGH ANY MEANS. A COVERED ENTITY THAT IS REGULATED BY STATE OR FEDERAL LAW AND THAT MAINTAINS PROCEDURES FOR DISPOSAL OF PERSONAL IDENTIFYING INFORMATION PURSUANT TO THE LAWS, RULES, REGULATIONS, GUIDANCES, OR GUIDELINES ESTABLISHED BY ITS STATE OR FEDERAL REGULATOR IS IN COMPLIANCE WITH THIS SECTION.

SECURITY PROCEDURES Reasonable security procedures and practices Encryption If encryption key is breached Contract with recycler or disposal firm does not automatically require proper destruction of PII

ENFORCEMENT The Attorney General s office has authority to enforce the new requirements, and may bring an action in law or equity to address violations of the law, and for other relief that may be appropriate to ensure compliance with the law or to recover direct economic damages resulting from the violation, or both. https://www.jdsupra.com/legalnews/colorado-strengthens-its-consumer-data-63777/ (4) Violations. THE ATTORNEY GENERAL MAY BRING AN ACTION FOR INJUNCTIVE RELIEF TO ENFORCE THE PROVISIONS OF THIS SECTION. (5) Attorney general criminal authority. UPON RECEIPT OF NOTICE PURSUANT TO SUBSECTION (2) OF THIS SECTION, AND WITH EITHER A REQUEST FROM THE GOVERNOR TO PROSECUTE A PARTICULAR CASE OR WITH THE APPROVAL OF THE DISTRICT ATTORNEY WITH JURISDICTION TO PROSECUTE CASES IN THE JUDICIAL DISTRICT WHERE A CASE COULD BE BROUGHT, THE ATTORNEY GENERAL HAS THE AUTHORITY TO PROSECUTE ANY CRIMINAL VIOLATIONS OF SECTION 18-5.5-102.

Improve destruction policies and procedures OPPORTUNITIES FOR RECORDS MANAGEMENT Improve inventories and file plans regarding PII / PI Encourage destruction of records with PII / PI that are past retention Shorten retention periods of PII / PI records to what is needed to decrease liability

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback