Colorado’s new, more stringent data privacy law is set to take effect on September 1, meaning employers face more obligations related to disposal and security of residents’ personal identifying information (PII).
The statute defines PII as “a [Social Security number (SSN)]; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; or a financial transaction devise.”
The bill, HB 18-1128, amends C.R.S. § 6-1-713 to strengthen the steps employers must take when disposing of documents containing PII. The amendment applies to documents that are kept electronically in addition to those kept in paper form.
The new law requires that employers and other covered entities implement a written policy specifying that when paper or electronic documents containing PII are no longer needed, they will destroy (or arrange for the destruction of) the documents in their custody or control by shredding, erasing, or otherwise modifying the PII in the documents to make the information unreadable or indecipherable through any means.
The new law also creates C.R.S. § 6-1-713.5, a new statutory section that requires employers to implement and maintain reasonable security procedures and practices to protect PII from unauthorized access, use, modification, disclosure, or destruction.
If a covered entity discloses PII to a third-party service provider, it must require the service provider to implement and maintain security procedures and practices that are reasonably designed to help protect the information from unauthorized access, use, modification, disclosure, or destruction, as appropriate to the nature of the information disclosed.
The new law also requires that covered entities take no more than 30 days to provide notice of a security breach.