Records: Protections for PII and Notification of Data Breaches

Records Protections for PII and Notification of Data Breaches HB 18-1128 Neutral H. Appropriations Reps. Cole Wist, R-Centennial and Jeff Bridges, D-Greenwood Village; Sens. Kent Lambert, R-Colorado Springs and Lois Court, D-Denver Dianne Criswell

The Colorado Attorney General is charged with enforcing the Consumer Protection Act.  The Attorney General’s Office (AGO) put forward the proposed changes in HB 18-1128 to provide updates to the Act to adopt best practices in the management of personally identifiable information (PII) in light of recent data breaches reported in national news outlets (for eg. Equifax)  legislation.  HB 18-1128 as introduced required private entities in Colorado that collect PII to:


  • adopt policies to maintain and destroy PII;
  • implement and maintain reasonable security procedures for PII; and
  • disclose and provide notification of data breaches.
  • The committee amendment adopted on February 15 added governmental entities, including municipalities, to the data breach provisions.  


While we may have questions about implementation of the statutory duties in the amended bill (which overlays with the other federal, state, and local requirements that  we already follow) we believe that Colorado’s municipalities take their records custodial duties, including the protection of PII, seriously.