Records: Protections for PII and Notification of Data Breaches

Records Protections for PII and Notification of Data Breaches HB 18-1128 Neutral Before governor Reps. Cole Wist, R-Centennial and Jeff Bridges, D-Greenwood Village; Sens. Kent Lambert, R-Colorado Springs and Lois Court, D-Denver Dianne Criswell

The Colorado Attorney General is charged with enforcing the Consumer Protection Act.  The Attorney General’s Office (AGO) put forward the proposed changes in HB 18-1128 to provide updates to the Act to adopt best practices in the management of personally identifiable information (PII) in light of recent data breaches reported in national news outlets (for eg. Equifax)  legislation.  HB 18-1128 as amended and passed the House would require public and private entities in Colorado that collect PII to:

  • adopt policies to maintain and destroy PII;
  • implement and maintain reasonable security procedures for PII; and
  • disclose and provide notification of data breaches.

We still have questions the implementation of the statutory duties in the amended bill (which overlays with the other federal, state, and local requirements that  we already follow), but note that the amendments adopted on second reading in the House reflect some of the feedback the League and other groups provided about providing notice in light of other considerations (aka, fixing the data breach first).  Therefore, the addition of language in the amendments that passed the house that provide that notice must be made "consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach to restore the reasonable integrity of the computerized data system" will make the bill better reflect best practices in managing data breaches.