Colorado law requires covered entities that experience a data breach to notify affected Coloradans and provide notice to the Office of the Attorney General if the breach affects 500 or more Coloradans.
Effective January 5, 2022, reporting entities should direct this notice to the Attorney General through the online Data Breach Reporting Form. You may access the Data Breach Reporting Form by clicking here.
How do I use the Data Breach Reporting Form?
Before you fill out the form, here is what you need to know:
How do I use the Data Breach Reporting Form?
Before you fill out the form, here is what you need to know:
What happens after I submit my completed Data Breach Reporting Form?
The Consumer Protection Section of the Attorney General’s Office will contact you if we have any follow-up questions.
If you are unable to use the data breach reporting form, please contact the Consumer Protection Section of the Attorney General’s Office at databreach@coag.gov.
What are Colorado’s data security laws?
There are three primary components to Colorado’s data security laws.
Who is impacted by the changes to Colorado’s consumer data security laws?
Any person, commercial entity, or governmental entity that maintains, owns, or licenses PII or PI of Colorado residents in the course of its business, vocation, or occupation.
What is PII?
PII includes social security numbers; personal identification numbers; passwords; pass codes; official state or government-issued driver’s license or identification card numbers; government passport numbers; biometric data; employer, student, or military identification numbers; and financial transaction devices, including financial account numbers.
What is PI?
PI includes a Colorado resident’s first name or first initial and last name in combination with any of the following, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:
PI also includes:
PI does not include information that is lawfully made available to the general public from government records or widely distributed media.
What does the law say about disposal of PII?
If you maintain PII, in paper or electronic form, you are required to develop a written policy to ensure that the PII is destroyed or properly disposed of when it is no longer needed. Private persons and entities should refer to C.R.S. § 6-1-713. Governmental entities should refer to C.R.S. § 24-73-101.
I am regulated by state or federal law, and my regulator sets its own requirements for disposal of PII. Is it sufficient to follow those laws and regulations?
Yes. If you maintain procedures for disposal of PII pursuant to the laws, rules, regulations, guidances, or guidelines established by your state or federal regulator, you are in compliance with Colorado’s law governing disposal of PII.
What steps does the law require me to take to protect PII that I maintain, own, or license in the course of my business?
You are required to implement and maintain reasonable security procedures and practices to protect PII, taking into account the nature and size of your business and the type of PII you collect. See C.R.S. § 6-1-713.5 if you are a person or commercial entity, C.R.S. § 24-73-102 if you are a governmental entity.
I am regulated by state or federal law, and my regulator sets its own requirements for protection of PII. Is it sufficient to follow those laws and regulations?
Yes. If you maintain procedures for the protection of PII pursuant to the laws, rules, regulations, guidances, or guidelines established by your state or federal regulator, you are in compliance with Colorado’s law governing the protection of PII.
What obligations do I have if a third-party service provider maintains, stores, or processes PII on my behalf?
Unless you agree to provide your own security protection for any PII you disclose to a third-party service provider, you must require the third-party service provider to implement and maintain reasonable security procedures and practices that are appropriate to the kind of PII you disclose, and are reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure, or destruction.
I am a person, commercial entity, or governmental entity that collects PI. Do I need to familiarize myself with Colorado’s security breach notification laws?
Yes. Persons, commercial entities, and governmental entities that collect or maintain PI should be familiar with Colorado’s security breach notification laws. See C.R.S. § 6-1-716 if you are a person or commercial entity; see C.R.S. § 24-73-103 if you are a governmental entity.
What is a security breach?
A security breach is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of PI maintained by a person, commercial entity, or governmental entity.
For example, a security breach can occur when:
Under what circumstances do I have to notify Colorado residents of a security breach?
If you become aware that a security breach may have occurred, you must conduct a prompt, good-faith investigation to determine the likelihood that PI has been or will be misused. You must provide notice to the affected Colorado residents, unless the investigation determines that the information has not been misused and is not reasonably likely to be misused.
How long do I have to provide notice to the affected Colorado residents?
You must provide notice in the most expedient time possible, without unreasonable delay, and within 30 days after the date of determination that a security breach has occurred. Notice may be delayed consistent with the legitimate needs of law enforcement, or consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
Other than the affected Colorado residents, am I required to notify anyone else?
How must the notice to Colorado residents be provided?
Notice must be provided by:
Is there any exception to the requirement to provide notice in this manner?
Yes, you may provide substitute notice if:
What are the requirements for substitute notice?
Substitute notice must be provided by:
What information should I include in the notice to Colorado residents?
The notice must include the following:
The security breach included a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account. Are there additional notice requirements?
Yes. In this case, you must also direct the affected Colorado residents to take steps to protect their accounts that may be accessed with the compromised credentials, i.e., instruct them to change their user password and/or security questions and answers.
My entity is regulated by state or federal law (e.g., the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA)) and maintains procedures for security breaches in compliance with those laws and regulations. Is it sufficient to comply with those laws and regulations?
For the most part, yes. However: