On September the 1st 2018, Colorado's Attorney General, Cynthia Coffman introduced new rules regarding the handling, management and destruction of Personally Identifiable Information in both Hard-Copy and Electronic forms.
There have been three major changes regarding the management of personal data and it applies to any person, commercial entity or government entity that owns or licenses personally identifiable information (PII) of Colorado residents.
In the description of PII and the classes of personal data that apply, there are some distinct differences between the Colorado interpretation and that of the GDPR.
Some of the items that require context within the GDPR are considered PII for Colorado Legislative purposes, such as Passwords and Passcodes together with student ID Numbers and Employer ID Numbers. Within the GDPR rules, the latter mentioned ID Numbers would only hold a PII classification in the context of the environment in which they are identifiers.
The Changes in more details.
FIRST: What does the new law say about disposal of PII?
If you maintain, own, or license PII, in paper or electronic form, you are required to develop and implement a written policy to ensure that the PII is destroyed when it is no longer needed. Private persons and entities should refer to C.R.S. § 6-1-713. Governmental entities should refer to C.R.S. § 24-73-101.
SECOND: What steps does the law require me to take to protect PII that I maintain, own, or license in the course of my business?
You are required to take reasonable security measures to protect PII, taking into account the nature and size of your business and the type of PII that you are collecting. See C.R.S. § 6-1-713.5 if you are a person or commercial entity, C.R.S. § 24-73-102 if you are a governmental entity.
I am regulated by state or federal law, and my regulator sets its own requirements for protection of PII. Is it sufficient to follow those laws and regulations?
Yes. If you maintain procedures for the protection of personal identifying information pursuant to the laws, rules, regulations, guidance, or guidelines established by your state or federal regulator, you are in compliance with Colorado’s law governing protection of PII.
I am a third-party service provider that maintains, stores or processes PII for clients. What are my obligations to protect that PII?
Unless your client agrees to provide its own security protection for the PII it discloses to you, it must require you to implement and maintain security procedures and practices that are appropriate to the kind of PII your client is disclosing, and are reasonably designed to help protect the PII from unauthorized access, use, modification, disclosure or destruction.
THIRD: I am a person, commercial entity, or governmental entity that collects PII. Do I need to familiarize myself with the updates to Colorado’s security breach notification laws?
Yes. There have been significant changes to the security breach notification requirements. See C.R.S. § 6-1-716. The new law also imposes security breach notification requirements for governmental entities. See C.R.S. § 24-73-103.
Introducing the Global Data Protection Management System (GDPMS) - Discover all the benefits of the world's leading Data Protection GRC today. Schedule a live demonstration and learn how this tool will ensure that you are always compliant in this changing landscape.
Discover the Attorney Generals page.