On May 18, 2018, the Colorado legislature sent HB 18-1128, an Act Concerning Strengthening Protections for Consumer Data Privacy, to the governor’s desk for execution. The bill is one of a number of recent efforts by states to respond to a slew of high profile breaches announced this year, including Equifax, Facebook, Panera Bread, Under Armour and – well, you get it.
The bill mimics a trend of inching toward the heightened and more specific standards employed by the EU’s General Data Protection Regulation. For example, HB-18-1128 replaces an ‘as soon as practicable’ breach notification requirement with a deadline of not later than 30 days from the date a breach is determined to have occurred. That’s more latitude than GDPR’s seemingly impossible 72-hour time limit (where feasible, of course), but it is another indication of regulators’ insistence on firm, identifiable timelines.
Also like the GDPR, the Colorado bill explicitly mandates that data is maintained “no longer than needed,” an example of the growing trend toward data minimization. With respect to security measures themselves, the bill requires “reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations,” a ‘commercially reasonable’ standard of sorts that also mirrors the GDPR (appropriate technical and organizational measures in light of a host of factors). Want one more similarity? The bill requires covered entities to mandate implementation of reasonable security measures by third party service providers, another trend reflected both in the GDPR and newer legislation being passed or proposed around the country.
Another interesting facet of HB-1128 is its specifically stated set of requirements for the content of data breach notifications. This may be, however, something of a double edged sword. While the bill will render notifications more consistent for Colorado residents, as this level of specificity is adopted by additional states, the already difficult prospect of multi-state breach notification compliance is exacerbated.
My takeaway: If you maintain consumer data, you should review the current state of the law in your jurisdiction and assess your policies and procedures for compliance, even you’ve done so in the last 12 months. The combination of very high profile breaches in 2018 and the EU’s enactment of the GDPR have privacy at the forefront for regulators and law-makers. With South Dakota and Alabama having just become the last two states to adopt their first breach notification laws, we can expect many states to revisit older legislation in the next 12-24 months.