COLORADO HB 18-1128 PROTECTIONS FOR CONSUMER DATA PRIVACY 6-1-713, 713.5, 716, 24-73-101-103 Guy Mason (NOT AN ATTORNEY) Mile High ARMA June Meeting June 19, 2018
WHO? Prime Sponsors Rep. Coel Wist, Rep. Jeff Bridges, Sen. Kent Lambert, Sen. Lois Court Passed unanimously Covered Entities Person that maintains, owns, or licenses Personal Identifying Information in the course of the person s business, vocation, or occupation Governmental Entities Colorado Residents
WHAT? Privacy Protection Policies Definitions Destruction Requirements Security Procedures Breach Notification Fines
WHEN? Governor Hickenlooper Signed May 29, 2018 Takes Effect September 1, 2018
Colorado WHERE?
PRIVACY PROTECTION PII What has to be destroyed after no longer needed PI Requires breach notification if disclosed
POLICIES Written Policy for the Destruction or Proper Disposal of Paper And Electronic Documents Containing Personal Identifying Information Safeguards for protection
PII DEFINITION Personally Identifiable Information (PII) Social Security Number Personal Identification Number Password Passcode Official State or Government-Issued Driver s License or Identification Card Number Government Passport Number Biometric Data (Unique Data from measurements of human body characteristics for identification purposes) Employer, Student, or Military Identification Number Financial Transaction Device (Credit Card / Bank Card / Account Number)
PI DEFINITION Personal Information (PI) First Name or First Initial and Last Name Social Security Number Student, Military, Passport ID Driver s License or Identification Card Number Medical Information Health Insurance Identification Number Biometric Data Username or E-mail Address Password, Security Questions and Answers Account Number or Credit / Debit Card Number Security Code, Access Code, Password Does not include publicly available information
BREACH NOTIFICATION Breaches incidents can involve paper or electronic formats After becoming aware that a security breach may have occurred Affecting 500 Colorado Residents Conduct Investigation (misuse of information likely to occur) Notify within 30 days (unless it will impede criminal investigation) Attorney General Affected residents Covered Entity by Third Party Service Provider (unless it will impede criminal investigation) Consumer Reporting Agencies (1000+ Colorado Residents) Many requirements and specifications for Third Parties and Notification
DESTRUCTION REQUIREMENTS WHEN SUCH PAPER OR ELECTRONIC DOCUMENTS ARE NO LONGER NEEDED, THE COVERED ENTITY SHALL DESTROY OR ARRANGE FOR THE DESTRUCTION OF SUCH PAPER AND ELECTRONIC DOCUMENTS WITHIN ITS CUSTODY OR CONTROL THAT CONTAIN PERSONAL IDENTIFYING INFORMATION BY SHREDDING, ERASING, OR OTHERWISE MODIFYING THE PERSONAL IDENTIFYING INFORMATION IN THE PAPER OR ELECTRONIC DOCUMENTS TO MAKE THE PERSONAL IDENTIFYING INFORMATION UNREADABLE OR INDECIPHERABLE THROUGH ANY MEANS. A COVERED ENTITY THAT IS REGULATED BY STATE OR FEDERAL LAW AND THAT MAINTAINS PROCEDURES FOR DISPOSAL OF PERSONAL IDENTIFYING INFORMATION PURSUANT TO THE LAWS, RULES, REGULATIONS, GUIDANCES, OR GUIDELINES ESTABLISHED BY ITS STATE OR FEDERAL REGULATOR IS IN COMPLIANCE WITH THIS SECTION.
SECURITY PROCEDURES Reasonable security procedures and practices Encryption If encryption key is breached Contract with recycler or disposal firm does not automatically require proper destruction of PII
ENFORCEMENT The Attorney General s office has authority to enforce the new requirements, and may bring an action in law or equity to address violations of the law, and for other relief that may be appropriate to ensure compliance with the law or to recover direct economic damages resulting from the violation, or both. https://www.jdsupra.com/legalnews/colorado-strengthens-its-consumer-data-63777/ (4) Violations. THE ATTORNEY GENERAL MAY BRING AN ACTION FOR INJUNCTIVE RELIEF TO ENFORCE THE PROVISIONS OF THIS SECTION. (5) Attorney general criminal authority. UPON RECEIPT OF NOTICE PURSUANT TO SUBSECTION (2) OF THIS SECTION, AND WITH EITHER A REQUEST FROM THE GOVERNOR TO PROSECUTE A PARTICULAR CASE OR WITH THE APPROVAL OF THE DISTRICT ATTORNEY WITH JURISDICTION TO PROSECUTE CASES IN THE JUDICIAL DISTRICT WHERE A CASE COULD BE BROUGHT, THE ATTORNEY GENERAL HAS THE AUTHORITY TO PROSECUTE ANY CRIMINAL VIOLATIONS OF SECTION 18-5.5-102.
Improve destruction policies and procedures OPPORTUNITIES FOR RECORDS MANAGEMENT Improve inventories and file plans regarding PII / PI Encourage destruction of records with PII / PI that are past retention Shorten retention periods of PII / PI records to what is needed to decrease liability