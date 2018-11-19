In light of what has now become the data breach/internet scandal du jour, keeping personal identifying information private is a front-burner issue for Congress and state legislatures.
The Colorado General Assembly took another swing at this ball with House Bill 18-1128, titled “concerning strengthening protections for consumer data privacy.”
This bill amended various state statutes to require enterprises that acquire personal identifying information to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”
So what does that actually mean? The drafters of the bill decided to leave this question unanswered. Since technology affecting data security is changing at roughly the speed of light, they thought any attempt at precisely defining “reasonable security procedures and practices” would quickly become outdated. (A few other states adopting privacy legislation have apparently learned this the hard way and have had to amend their statutes.)
The meaning of “reasonable security procedures and practices” in Colorado will therefore be fleshed out, over time, through enforcement actions by the attorney general’s office.
House Bill 18-1128 also did other things. It requires entities employing third parties to provide services involving the use of personal identifying information to make sure the information will be secure when in the hands of the third party. Also, entities acquiring personal identifying information must adopt and implement a written policy concerning the destruction of this information as soon as it is “no longer needed.”
House Bill 18-1128 also changed the rules for when an entity suffering a data breach must inform affected individuals . Before this legislation, notice had to be given “without unreasonable delay.” Now, the statute says notice must be given without unreasonable delay “but not later than 30 days” after the date of the breach has been discovered.
The statutes principally affected by House Bill 18-1128 are part of the Colorado Consumer Protection Act. This means violators can be subject to administrative enforcement actions by the attorney general’s office and also lawsuits by private parties claiming injury from a violation. The Consumer Protection Act allows for triple damages if a violation is fraudulent or willful.
House Bill 18-1128 also created similar personal identifying information privacy and notification requirements for governmental entities. Here, there isn’t a private right of action. Enforcement will come in the form of an administrative action by the attorney general’s office.
The changes made by House Bill 18-1128 became effective Sept. 1.
Jim Flynn is with the Colorado Springs firm of Flynn & Wright LLC. Email moneylaw@jtflynn.com.