24-73-101. Governmental entity - disposal of
personal identifying information - policy - definitions.
(1) Each governmental entity in the state that maintains
paper or electronic documents during the course of business that contain
personal identifying information shall develop a written policy for the
destruction or proper disposal of those paper and electronic documents
containing personal identifying information. Unless otherwise required by
state or federal law or regulation, the written policy must require that,
when such paper or electronic documents are no longer needed, the
governmental entity destroy or arrange for the destruction of such paper and
electronic documents within its custody or control that contain personal
identifying information by shredding, erasing, or otherwise modifying the
personal identifying information in the paper or electronic documents to
make the personal identifying information unreadable or indecipherable
through any means.
(2) A governmental entity that is regulated by state or federal law and that
maintains procedures for disposal of personal identifying information
pursuant to the laws, rules, regulations, guidances, or guidelines
established by its state or federal regulator is in compliance with this
section.
(3) Unless a governmental entity specifically contracts with a recycler or
disposal firm for destruction of documents that contain personal identifying
information, nothing in this section requires a recycler or disposal firm to
verify that the documents contained in the products it receives for disposal
or recycling have been properly destroyed or disposed of as required by this
section.
(4) For the purposes of this section and section 24-73-102, unless the
context otherwise requires:
(a) "Governmental entity" means the state and any state agency or
institution, including the judicial department, county, city and county,
incorporated city or town, school district, special improvement district,
authority, and every other kind of district, instrumentality, or political
subdivision of the state organized pursuant to law. "Governmental entity"
includes entities governed by home rule charters. "Governmental entity" does
not include an entity acting as a third-party service provider as defined in
section 24-73-102.
(b) "Personal identifying information" means a social security number; a
personal identification number; a password; a pass code; an official state
or government-issued driver's license or identification card number; a
government passport number; biometric data, as defined in section 24-73-103
(1)(a); an employer, student, or military identification number; or a
financial transaction device, as defined in section 18-5-701 (3).
24-73-102. Governmental entity - protection of
personal identifying information - definition.
(1) To protect personal identifying information, as defined
in section 24-73-101 (4)(b), from unauthorized access, use, modification,
disclosure, or destruction, a governmental entity that maintains, owns, or
licenses personal identifying information shall implement and maintain
reasonable security procedures and practices that are appropriate to the
nature of the personal identifying information and the nature and size of
the governmental entity.
(2) Unless a governmental entity agrees to provide its own security
protection for the information it discloses to a third-party service
provider, the governmental entity shall require that the third-party service
provider implement and maintain reasonable security procedures and practices
that are:
(a) Appropriate to the nature of the personal identifying information
disclosed to the third-party service provider; and
(b) Reasonably designed to help protect the personal identifying information
from unauthorized access, use, modification, disclosure, or destruction.
(3) For the purposes of subsection (2) of this section, a disclosure of
personal identifying information does not include disclosure of information
to a third party under circumstances where the governmental entity retains
primary responsibility for implementing and maintaining reasonable security
procedures and practices appropriate to the nature of the personal
identifying information and the governmental entity implements and maintains
technical controls reasonably designed to:
(a) Help protect the personal identifying information from unauthorized
access, modification, disclosure, or destruction; or
(b) Effectively eliminate the third party's ability to access the personal
identifying information, notwithstanding the third party's physical
possession of the personal identifying information.
(4) A governmental entity that is regulated by state or federal law
and that maintains procedures for storage of personal identifying
information pursuant to the laws, rules, regulations, guidances, or
guidelines established by its state or federal regulator is in
compliance with this section.
(5) For the purposes of this section, "third-party service provider" means
an entity that has been contracted to maintain, store, or process personal
identifying information on behalf of a governmental entity.
24-73-103. Governmental entity - notification
of security breach.
(1) Definitions. As used in this section, unless the context
otherwise requires:
(a) "Biometric data" means unique biometric data generated from measurements
or analysis of human body characteristics for the purpose of authenticating
the individual when he or she accesses an online account.
(b) "Determination that a security breach occurred" means the point in time
at which there is sufficient evidence to conclude that a security breach has
taken place.
(c) "Encrypted" means rendered unusable, unreadable, or indecipherable to an
unauthorized person through a security technology or methodology
generally accepted in the field of information security.
(d) "Governmental entity" means the state and any state agency or
institution, including the judicial department, county, city and county,
incorporated city or town, school district, special improvement district,
authority, and every other kind of district, instrumentality, or political
subdivision of the state organized pursuant to law. "Governmental entity"
includes entities governed by home rule charters. "Governmental entity" does
not include an entity acting as a third-party service provider as defined in
subsection (1)(I) of this section.
(e) "Medical information" means any information about a consumer's medical
or mental health treatment or diagnosis by a health care professional.
(f) "Notice" means:
(I) Written notice to the postal address listed in the records of the
governmental entity;
(II) Telephonic notice;
(III) Electronic notice, if a primary means of communication by the
governmental entity with a Colorado resident is by electronic means or the
notice provided is consistent with the provisions regarding electronic
records and signatures set forth in the federal "Electronic Signatures in
Global and National Commerce Act", 15 U.S.C. Sec. 7001 et seq.; or
(IV) Substitute notice, if the governmental entity required to provide
notice demonstrates that the cost of providing notice will exceed two
hundred fifty thousand dollars, the affected class of persons to be notified
exceeds two hundred fifty thousand Colorado residents, or the governmental
entity does not have sufficient contact information to provide notice.
Substitute notice consists of all of the following:
(a) E-mail notice if the governmental entity has e-mail addresses for the
members of the affected class of Colorado residents;
(b) Conspicuous posting of the notice on the website page of the
governmental entity if the governmental entity maintains one; and
(c) Notification to major statewide media.
(g) (I) (a) "Personal information" means a Colorado resident's first name or
first initial and last name in combination with any one or more of the
following data elements that relate to the resident, when the data elements
are not encrypted, redacted, or secured by any other method rendering the
name or the element unreadable or unusable: social security number; driver's
license number or identification card number; student, military, or passport
identification number; medical information; health insurance identification
number; or biometric data, as defined in subsection (1)(a) of this section;
(b) A Colorado resident's username or e-mail address, in combination with a
password or security questions and answers, that would permit access to an
online account; or
(c) A Colorado resident's account number or credit or debit card number in
combination with any required security code, access code, or password that
would permit access to that account.
(II) "Personal information" does not include publicly available information
that is lawfully made available to the general public from federal, state,
or local government records or widely distributed media.
(h) "Security breach" means the unauthorized acquisition of unencrypted
computerized data that compromises the security, confidentiality, or
integrity of personal information maintained by a governmental entity. Good
faith acquisition of personal information by an employee or agent of a
governmental entity for the purposes of the governmental entity is not a
security breach if the personal information is not used for a purpose
unrelated to the lawful government purpose or is not subject to further
unauthorized disclosure.
(i) "Third-party service provider" means an entity that has been contracted
to maintain, store, or process personal information on behalf of a
governmental entity.
(2) Disclosure of breach.
(a) A governmental entity that maintains, owns, or licenses computerized
data that includes personal information about a resident of Colorado shall,
when it becomes aware that a security breach may have occurred, conduct in
good faith a prompt investigation to determine the likelihood that personal
information has been or will be misused. The governmental entity shall give
notice to the affected Colorado residents unless the investigation
determines that the misuse of information about a Colorado resident has not
occurred and is not reasonably likely to occur. Notice must be made in the
most expedient time possible and without unreasonable delay, but not later
than thirty days after the date of determination that a security breach
occurred, consistent with the legitimate needs of law enforcement and
consistent with any measures necessary to determine the scope of the breach
and to restore the reasonable integrity of the computerized data system.
(b) In the case of a breach of personal information, notice required
by this subsection (2) to affected Colorado residents must include, but need
not be limited to, the following information:
(I) The date, estimated date, or estimated date range of the security
breach;
(II) A description of the personal information that was acquired or
reasonably believed to have been acquired as part of the security breach;
(III) Information that the resident can use to contact the governmental
entity to inquire about the security breach;
(IV) The toll-free numbers, addresses, and websites for consumer reporting
agencies;
(V) The toll-free number, address, and website for the federal trade
commission; and
(VI) A statement that the resident can obtain information from the federal
trade commission and the credit reporting agencies about fraud alerts and
security freezes.
(c) If an investigation by the governmental entity pursuant to subsection
(2)(a) of this section determines that the type of personal information
described in subsection (1)(g)(I)(b) of this section has been misused or is
reasonably likely to be misused, then the governmental entity shall, in
addition to the notice
Otherwise required by subsection (2)(b) of this section and in the most
expedient time possible and without unreasonable delay, but not later than
thirty days after the date of determination that a security breach occurred,
consistent with the legitimate needs of law enforcement and consistent with
any measures necessary to determine the scope of the breach and to restore
the reasonable integrity of the computerized data system:
(I) Direct the person whose personal information has been breached to
promptly change his or her password and security question or answer, as
applicable, or to take other steps appropriate to protect the online account
with the person or business and all other online accounts for which the
person whose personal information has been breached uses the same username
or e-mail address and password or security question or answer.
(II) For log-in credentials of an e-mail account furnished by the
governmental entity, the governmental entity shall not comply with this
section by providing the security breach notification to that e-mail
address, but may instead comply with this section by providing notice
through other methods, as defined in subsection (1)(f) of this section, or
by clear and conspicuous notice delivered to the resident online when the
resident is connected to the online account from an internet protocol
address or online location from which the governmental entity knows the
resident customarily accesses the account.
(d) The breach of encrypted or otherwise secured personal information must
be disclosed in accordance with this section if the confidential process,
encryption key, or other means to decipher the secured information was also
acquired in the security breach or was reasonably believed to have been
acquired.
(e) A governmental entity that is required to provide notice pursuant to
this subsection (2) is prohibited from charging the cost of providing such
notice to individuals.
(f) Nothing in this subsection (2) prohibits the notice described in this
subsection (2) from containing additional information, including any
information that may be required by state or federal law.
(g) If a governmental entity uses a third-party service provider to maintain
computerized data that includes personal information, then the third-party
service provider shall give notice to and cooperate with the governmental
entity in the event of a security breach that compromises such computerized
data, including notifying the governmental entity of any security breach in
the most expedient time and without unreasonable delay following discovery
of a security breach, if misuse of personal information about a Colorado
resident occurred or is likely to occur. Cooperation includes sharing with
the covered entity information relevant to the security breach; except that
such cooperation does not require the disclosure of confidential business
information or trade secrets.
(h) Notice required by this section may be delayed if a law enforcement
agency determines that the notice will impede a criminal investigation and
the law enforcement agency has notified the governmental entity that
operates in Colorado not to send notice required by this section. Notice
required by this section must be made in good faith, in the most expedient
time possible and without unreasonable delay, but not later than thirty days
after the law enforcement agency determines that notification will no longer
impede the investigation, and has notified the governmental entity that it
is appropriate to send the notice required by this section.
(I) If a governmental entity is required to notify more than one thousand
Colorado residents of a security breach pursuant to this section, the
governmental entity shall also notify, in the most expedient time possible
and without unreasonable delay, all consumer reporting agencies that compile
and maintain files on consumers on a nationwide basis, as defined by the
federal "Fair Credit Reporting Act", 15 U.S.C. Sec. 1681a (p), of the
anticipated date of the notification to the residents and the approximate
number of residents who are to be notified. Nothing in this subsection
(2)(i) requires the governmental entity to provide to the consumer reporting
agency the names or other personal information of security breach notice
recipients. This subsection (2)(i) does not apply to a person who is subject
to title v of the federal "Gramm-Leach-Bliley Act", 15 U.S.C. Sec. 6801 et
seq.
(j) A waiver of these notification rights or responsibilities is void as
against public policy.
(k) (I) the governmental entity that must notify Colorado residents of a
data breach pursuant to this section shall provide notice of any security
breach to the Colorado attorney general in the most expedient time possible
and without unreasonable delay, but not later than thirty days after the
date of determination that a security breach occurred, if the security
breach is reasonably believed to have affected five hundred Colorado
residents or more, unless the investigation determines that the misuse of
information about a Colorado resident has not occurred and is not likely to
occur.
(II) The Colorado attorney general shall designate a person or persons as a
point of contact for functions set forth in this subsection (2)(k) and shall
make the contact information for that person or those persons public on the
attorney general's website and by any other appropriate means.
(1) The breach of encrypted or otherwise secured personal information must
be disclosed in accordance with this section if the confidential process,
encryption key, or other means to decipher the secured information was also
acquired or was reasonably believed to have been acquired in the security
breach.
(3) Procedures deemed in compliance with notice requirements.
(a) Pursuant to this section, a governmental entity that maintains its own
notification procedures as part of an information security policy for the
treatment of personal information and whose procedures are otherwise
consistent with the timing requirements of this section is in compliance
with the notice requirements of this section if the governmental entity
notifies affected Colorado residents in accordance with its policies in the
event of a security breach; except that notice to the attorney general is
still required pursuant to subsection (2)(k) of this section.
(b) A governmental entity that is regulated by state or federal law and that
maintains procedures for a security breach pursuant to the laws, rules,
regulations, guidances, or guidelines established by its state or federal
regulator is in compliance with this section; except that notice to the
attorney general is still required pursuant to subsection (2)(k) of this
section. In the case of a conflict between the time period for notice to
individuals, the law or regulation with the shortest notice period controls.
(4) Violations. The attorney general may bring an action
for injunctive relief to enforce the provisions of this section.
(5) Attorney general criminal authority. Upon receipt of
notice pursuant to subsection (2) of this section, and with either a request
from the governor to prosecute a particular case or with the approval of the
district attorney with jurisdiction to prosecute cases in the judicial
district where a case could be brought, the attorney general has the
authority to prosecute any criminal violations of section 18-5.5-102.