On September 1, 2018, the Colorado Protections for Consumer Data Privacy law, HB 18-1128, goes into effect. A bi-partisan group introduced HB 18-1128 in January, and after the usual negotiations, the Legislature passed it unanimously. The new Privacy Law provisions are part of the Colorado Consumer Protection Act (“CCPA”), in a continued effort to protect personal data.
Colorado is getting the message. Data privacy and security are important – and companies need to be held accountable.
What Data Does HB 18-1128 Protect?
The new Colorado legislation specifies exactly what kind of personal data companies need to track regarding Colorado residents. HB 18-1128 defines Personal Identifiable Information (PII) for Colorado residents as a first and last name with any one or more of these other PII:
- Social Security Number
- Student, Military, or Passport ID number
- Driver’s License Number
- Medical Information
- Health Insurance ID number
- Biometric data
- Username or email address with password and/or security questions and answers
- Credit Card number with PIN/ access code/ password
HB 18-1128 applies to Colorado residents, but any company that manages PII for Colorado residents need to be aware of this new legislation.
How Long Do I Have to Report a Data Breach?
HB 18-1128 requires organizations to notify Colorado residents within 30 days of the discovery of a data breach where their PII was involved.
If there are more than 500 Colorado residents involved, companies have to notify the Colorado State Attorney General’s office. The law enables the Attorney General to prosecute violations of the new law.
What Else Does the Bill Say?
HB 18-1128 requires organizations to implement reasonable controls and safeguards to protect PII. If that sounds familiar, the EU GDPR, California, and Massachusetts have also used similar language to articulate that same idea – data security, especially on personal information, is super important.
What Can I Do To Comply With the New Colorado Privacy Law?
First, ask yourself about your company’s overall preparedness level to deal with a cyberattack.
The Varonis Data Security platform is the core of an effective data security strategy to protect your company from data breaches. Varonis discovers, identifies, and monitors PII on your core data stores, and detects (and alerts on) any abnormal or unlawful access to that data.
Get a 1:1 demo and learn how to discover where your Colorado related PII lives and how to meet the new privacy laws – get a head start on compliance with HB 18-1128 and protect your data wherever it lives.
Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.