The law applies to any individual or commercial entity that maintains, owns, or licenses “personal information” or PII, as applicable, in the course of its business, vocation, or occupation, and also contains largely identical provisions that apply to state and local governments. House Bill 18-1128 amends Colo. Rev. Stat. § 6-1-713 et seq. and takes effect on September 1, 2018.Breach Notification The new law expands the pre-existing definition of “personal information,” whose unauthorized acquisition may trigger notification obligations, to include a first name or initial and last name in combination with unencrypted or unsecured medical information, health insurance identification information, and biometric data.

03, the Colorado law also requires covered entities to maintain and implement policies governing the destruction and disposal of records (paper and electronic) that contain personal identifying information. See C.R.S. § 6-1-713. Further, all covered entities are required to “implement and maintain reasonable security procedures and practices” to protect personal identifying information.

Colorado recently became the latest state to include biometric information in the definition of personal information for the purposes of its breach notification statute. Beginning September 1, 2018, under Colo. Rev. Stat. § 6-1-713 et seq., companies must notify Colorado residents of a data breach that includes their biometric information.

In January 2018, Colorado legislators sponsored a bill that, if passed, will change the state’s existing data breach reporting laws in important ways. A House Committee Report detailing the current version of the bill can be found here. The bill would create a new statute, C.R.S. § 6-1-713.5, titled Protection of Personal Identifying Information, which amends the existing statutes C.R.S. § 6-1-713, governing the disposal of personal identifying information, and C.R.S. § 6-1-716, Notification of Security Breach. Included in these proposed changes are the following amendments:Disposal of Personal Identifying InformationAll “public and private entit[ies] in the state that maintain[] paper or electronic documents during the course of business that contain personal identifying information” will be required to develop a written policy for the destruction or disposal of such information once such documentation is “no longer needed.”Protection of Personal Identifying InformationA person who maintains, owns or licenses personal identifying information of a Colorado resident shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operation.

In January 2018, Colorado legislators sponsored a bill that, if passed, will change the state’s existing data breach reporting laws in important ways. A House Committee Report detailing the current version of the bill can be found here. The bill would create a new statute, C.R.S. § 6-1-713.5, titled Protection of Personal Identifying Information, which amends the existing statutes C.R.S. § 6-1-713, governing the disposal of personal identifying information, and C.R.S. § 6-1-716, Notification of Security Breach. Included in these proposed changes are the following amendments:Disposal of Personal Identifying Information All “public and private entit[ies] in the state that maintain[] paper or electronic documents during the course of business that contain personal identifying information” will be required to develop a written policy for the destruction or disposal of such information once such documentation is “no longer needed.”Protection of Personal Identifying Information A person who maintains, owns or licenses personal identifying information of a Colorado resident shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operation.

Proposed Data Disposal and Security Requirements As discussed in our initial alert, the bill would create a new statute, C.R.S. 6-1-713.5, that would require entities to implement and maintain “reasonable security procedures and practices” to protect “personal identifying information” (PII) of Colorado residents. The bill also would amend C.R.S. 6-1-713 to require entities to develop a written policy for the destruction or proper disposal of paper or electronic documents that contain PII. The amended bill adds new language to each of those statutes, stating that any entity regulated by state or federal law and that maintains procedures for disposal and protection of PII pursuant to the "laws, rules, regulations, or guidances or guidelines established by its state or federal regulator is in compliance" with the amended bill's data disposal and security requirements.