Colorado Lawmakers Proposed to Amend the Privacy and Data Breach Law

by

A bipartisan team of legislators in Colorado recommended modifying its privacy and data breach notification laws for Colorado residents to obtain better security. If approved, there’ll be substantial adjustments in the existing state regulations. The proposed legislation is going to include these personally identifying information (PII) to the concept of PII.

Full name or last name and initial combined with one of the following data components: personal ID numbers, employment, student and military IDs, state ID numbers, Social Security numbers, passport numbers, state or government driver’s license numbers, passwords and pass codes, biometric data, health information, health insurance information and financial transaction devices.

Usernames/email addresses, credit/debit card numbers and other financial account numbers are likewise integrated, should the stated information end up being compromised along with other information that allows access or usage of accounts. It isn’t deemed as a breach when the PII is encrypted, except if the unauthorized individual also obtains the key to open the encryption.

The new law would necessitate agencies that keep the PII of Colorado residents to use controls that safeguard the privacy and confidentiality of PII. Even though there’s no fixed types of security protections, practices and procedures that need to be carried out, the condition is to utilize security measures suitable to the nature of the PII and the nature and proportion of the business and its functions.

Any entity which wants to expose PII to a third party needs to tell that entity to safeguard and protect the PP all the time utilizing the correct technology, procedures and processes. Sensitive information should be shielded from unauthorized access, usage, disclosure, modification or damage.

Should the entity or third party doesn’t need the PII anymore, the PII, both in paper or digital format, should be securely eliminated without keeping any backup. There has to be a developed policy addressing the elimination of data. Paper documents could be burned, pulped, shredded or pulverized. Digital information should be safely deleted in order to avoid recovery using techniques like degaussing, pulverization, use of software to overwrite media, incineration, melting, disintegration or shredding.

In the event of a PII breach, the covered entity can issue notifications up to 45 days from the time of breach discovery. Notices should be issued “in the most expedient time and without unreasonable delay.” The state attorney general needs to be given a notice of a breach that affects more than 500 individuals no later than 7 days after finding out about the breach.

Breach notification needs to consist of these elements: date of the breach or an estimate if it’s not known, description of the exposed PII, details on how credit freezes and safety warnings can be achieved, contact details, a toll-free number to call for additional information and contact information on consumer reporting agencies and the FTC.

The legislation will likewise provide the Colorado Attorney General the power to kick-off criminal inspections and legal procedures on companies breaking the Colorado state law.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]