Consumer Data Privacy – Amendment to Colorado’s Law, Effective September 1, 2018
J. Kent Staffing is pleased to share this white paper authored by LaRona Mondt, Esq., corporate attorney with Messner Reeves LLP. Messner Reeves is a Denver-based full-service business law firm.
Colorado recently amended its consumer data privacy law. Effective September 1, 2018, all businesses that collect personal identifying information of consumers in Colorado must implement security procedures for the protection of consumers’ data, dispose of unneeded data, and provide notice of data breaches to consumers.
Data Security Procedures
Employers must implement and maintain reasonable security procedures and practices to protect personal identifying information of Colorado residents from unauthorized access or disclosure and must require their third-party service providers to do the same.
- “Personal identifying information” means a Social Security number; a personal identification number; a password; a passcode; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; or a financial transaction device.
Destruction of Unneeded Data: Employers must develop a written policy for the destruction of paper and electronic documents containing personal identifying information when such documents are no longer needed.
When an employer becomes aware that a security breach of personal information may have occurred, the employer must: (i) conduct a good faith, prompt investigation to determine whether the personal information will be misused and (ii) provide notice to the affected Colorado residents within 30 days unless the investigation determines that a misuse of information has not occurred and is not reasonably likely to occur.
“Personal information” means Colorado residents:
- First and last name in combination with any other identifying data, such as a social security number, a student ID number, a passport ID number, a driver’s license number, medical information, or biometric data;
- Username and password or security question combination that would permit access to the account; and
- Account or credit card number and security code or password combination that would permit access to the account.