Colorado Attorney General is charged with enforcing the Consumer Protection
Act. The Attorney General’s Office (AGO)
put forward the proposed changes in HB 18-1128 to provide updates to the Act to
adopt best practices in the management of personally identifiable information (PII)
in light of recent data breaches reported in national news outlets (for eg.
Equifax) legislation. HB 18-1128 as amended and passed the House would require public and private
entities in Colorado that collect PII to:
We still have questions the implementation of the statutory duties in the
amended bill (which overlays with the other federal, state, and local requirements
that we already follow), but note that the amendments adopted on second reading in the House reflect some of the feedback the League and other groups provided about providing notice in light of other considerations (aka, fixing the data breach first). Therefore, the addition of language in the amendments that passed the house that provide that notice must be made "consistent with the legitimate needs of law enforcement and with any measures necessary to determine the scope of the breach to restore the reasonable integrity of the computerized data system" will make the bill better reflect best practices in managing data breaches.