Colorado Attorney General is charged with enforcing the Consumer Protection
Act. The Attorney General’s Office (AGO)
put forward the proposed changes in HB 18-1128 to provide updates to the Act to
adopt best practices in the management of personally identifiable information (PII)
in light of recent data breaches reported in national news outlets (for eg.
Equifax) legislation. HB 18-1128 as introduced required private
entities in Colorado that collect PII to:
policies to maintain and destroy PII;
and maintain reasonable security procedures for PII; and
and provide notification of data breaches.
committee amendment adopted on February 15 added governmental entities,
including municipalities, to the data breach provisions.
While we may have questions about implementation of the statutory duties in the
amended bill (which overlays with the other federal, state, and local requirements
that we already follow) we believe that Colorado’s
municipalities take their records custodial duties, including the protection of