Colorado Cybersecurity, Privacy & Data Breach Laws

 Colorado Cybersecurity, Privacy & Data Breach Laws

The State of Colorado Cybersecurity Privacy & Data Breach Laws are numerous and detailed. Here’s a breakdown of each of them:

1. Cybersecurity and Data Security Laws:

• Colorado Consumer Protection Act (CCPA) (C.R.S. § 6-1-101 et seq.): While primarily focused on consumer protection, this act prohibits deceptive trade practices, which can include failing to protect consumer data adequately.
  • In case of a security breach involving unencrypted computerized data that compromises the security, confidentiality, or integrity of PII, businesses must conduct a prompt, good-faith investigation.
  • Notification to affected Colorado residents is required unless the investigation determines that misuse of the information has not occurred and is not reasonably likely.
  • Notification must be made in the most expedient time possible, without unreasonable delay, and within 30 days after the determination of the breach.
  • If the breach affects 500 or more Colorado residents, the entity must also notify the Colorado Attorney General within the same timeframe.
  • If the breach affects more than 1,000 Colorado residents, notification to all nationwide consumer reporting agencies is also required (unless compliant with the Gramm-Leach-Bliley Act).
  • The notice to residents must include details like the date of the breach, the type of information compromised, and contact information for inquiries.
  • There are specific requirements for substitute notice if direct notification is not feasible (e.g., cost exceeding $250,000 or over 250,000 residents affected).
• Colorado Data Breach Notification Law (C.R.S. § 6-1-716): This law requires entities that maintain personal identifying information (PII) to implement reasonable security procedures and practices to protect it.
• • Controllers must take reasonable measures to secure personal data and prevent unauthorized access.
• Colorado Privacy Act (CPA) (C.R.S. § 6-1-1301 et seq.): Effective July 1, 2023, the CPA grants Colorado consumers several rights regarding their personal data and imposes obligations on data controllers and processors. These obligations include implementing appropriate technical and organizational data security safeguards.
• State Government Cybersecurity: The State of Colorado has its own cybersecurity policies and standards for public agencies to protect sensitive electronic information assets (Rule R 24-37.5-403.5). Agencies are required to maintain a Cyber Security Plan.

2. Insurance Security Laws:

While there isn’t a distinct set of “insurance security laws” labeled as such, the general data security and privacy laws in Colorado apply to insurance companies as well.

• SB21-169 – Protecting Consumers from Unfair Discrimination in Insurance Practices: This law, enacted in 2021, requires insurers to test their big data systems, including algorithms and predictive models, to ensure they are not unfairly discriminating against consumers based on protected characteristics. This indirectly relates to data security as it emphasizes the responsible and non-discriminatory use of consumer data.
• The Colorado Division of Insurance (DORA) has been actively working on regulations related to the use of external consumer data and information sources, algorithms, and predictive models by insurers, focusing on governance and risk management frameworks. 

3. Privacy Laws:

The Colorado Privacy Act (CPA) gives residents privacy rights regarding their data. They include;

• Right to Opt-Out: Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling that could lead to significant decisions.  
• Right to Access: Consumers have the right to confirm if a controller is processing their personal data and to access that data.
• Right to Correction: Consumers can request the correction of inaccuracies in their personal data.
• Right to Deletion: Consumers have the right to have their personal data deleted.   
• Right to Data Portability: Consumers can obtain a copy of their personal data in a portable and readily usable format.
• Right to Know: Consumers have the right to know whether a controller is collecting their personal data.

• The CPA places obligations on “controllers” (entities that determine the purposes and means of processing personal data) and “processors” (entities that process personal data on behalf of a controller). 
• Consent: As mentioned earlier, the CPA requires clear, affirmative consent for processing sensitive data, for secondary uses of personal data, and for processing the personal data of children under 13. Consent obtained through deceptive designs (dark patterns) is not valid.
• Transparency: Controllers must provide consumers with clear and accessible privacy notices detailing the categories of personal data collected, the purposes of processing, how consumers can exercise their rights, and other relevant information.
• Enforcement: The Colorado Attorney General and District Attorneys have the exclusive authority to enforce the CPA, and violations can be treated as deceptive trade practices under the CCPA, potentially leading to fines.

It’s important to note that these laws are complex and subject to interpretation and further rulemaking. Businesses operating in Colorado or processing the data of Colorado residents should stay informed about the specific requirements and seek legal counsel to ensure compliance. The Colorado Attorney General’s Office provides resources and FAQs related to these laws on its website

Protections For Consumer Data Privacy

The State Of Colorado Data Breach Notification

Colorado Revised Statutes 6-1-716

• Enacted in 2006, Colorado’s data breach notification law requires entities that conduct business in Colorado, and that own, license, or maintain computerized personal information on Colorado residents to notify those individuals of unauthorized acquisition of unencrypted data that compromises the security, confidentiality, or integrity of personal information.
• Notice shall be made in the most expedient time possible and without unreasonable delay, but not later than 30 days after determining a breach occurred.
• If notice is provided to more than 500 CO residents, the entity must also notify the Attorney General.
• If notice is provided to more than 1,000 CO residents, the entity must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
• Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
• Breached third parties must notify and cooperate with the relevant data owners or licensees immediately following discovery of a breach, if misuse of personal information about a CO resident occurred or is likely to occur.
• Notification pursuant to laws, rules, regulations, guidance, or guidelines established by an entity’s primary state regulator is sufficient for compliance with this law.

Colorado Regulations and Penalties

In the state of Colorado, any commercial entity (whether for-profit or non-profit) that experiences a data breach is required to investigate the likelihood that personal information has been or will be misused. The business is legally required to notify affected Colorado residents as soon as possible by mail, telephone, or electronic means. If the security breach affects more than 250,000 residents or the cost of notification exceeds $250,000, other means of notification can be used. Read more about CO’s data breach laws below.