Colorado Considers New Privacy and Data Breach Legislation

As a compliance company with offices in Colorado, we are always on the lookout for changes to laws and fines that can impact our customers. Well, it’s our turn as the HIPAA Journal reports in this article.

The Colorado Legislature is considering making changes to the Data Breach Laws for Colorado. This would include additional protection to PII of state residents.

Full name or last name and initial in combination with any of the following data elements: Personal ID numbers, Social Security numbers, state ID numbers, state or government driver’s license numbers, passport numbers, biometric data, passwords and pass codes, employment, student and military IDs, financial transaction devices, health information, and health insurance information.

Usernames/email addresses, financial account numbers, and credit/debit card numbers are also included if they are compromised along with other information that allows account access or use.

A breach would not be deemed to have occurred if the PII is encrypted, unless the key to unlock the encryption is also compromised.

Organizations that store the PII of state residents would be required to implement controls to ensure the privacy and confidentiality of PII. The proposed legislation does not include details of the types of security protections, procedures, and practices that must be implemented to keep personally identifiable information secure, only that the security measures be “appropriate to the nature of the personally identifying information and the nature and size of the business and its operations.”