In Colorado bill HB 1128 has been signed into law by Governor John Hickenlooper. This bill enhances security for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Colorado State Legislature. The bill will take become enforceable on September 1, 2018.
From that date organizations conducting business the state of Colorado must adapt reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is secured. The bill also minimizes the time for making the state attorney general aware of breaches of PII and sets in places new rules for disposing of PII when it is no longer needed.
Personal information is classified as first name and last name or first initial and last name along with any of the following data elements (when not encrypted, redacted, or safeguarded by another means that renders the information unreadable):
- Social Security details
- Student Identification number
- Military ID information
- Passport credentials
- Driver’s license number or ID card
- Medical info and history
- Health insurance policy number
- Biometric data
- Email addresses along with passwords or security Q&As
- Banking account numbers, and credit cards and debit cards with associated security codes that would grant access/use
Covered organizations must implement and maintain “Reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Those tactics should protect PII from unauthorized access, amendment, disclosure, and destruction. In cases where PII is shared to a third party, the covered body must ensure the third party also has reasonable security measures established.
A written policy must be developed by all firms that manage the personal data of Colorado citizens covering the disposal of that information when it is no longer needed. Electronic data and physical documents listing PII must be disposed of securely. The bill implies that “shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.”