Téléverser un fichier

note: this bill has been prepared for the signatures of ......6-1-713.5. protection of personal...

  • Home
  • Documents
  • NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,
22
HOUSE BILL 18-1128 BY REPRESENTATIVE(S) Wist and Bridges, Arndt, Becker K., Buckner, Coleman, Danielson, Esgar, Exum, Foote, Garnett, Gray, Hamner, Hansen, Herod, Hooton, Jackson, Kraft-Tharp, Landgraf, Lawrence, Lee, Liston, Lontine, McLachlan, Melton, Michaelson Jenet, Neville P., Pettersen, Rankin, Ransom, Reyher, Roberts, Rosenthal, Saine, Sias, Singer, Valdez, Van Winkle, Weissman, Winkler, Winter, Young, Duran, Benavidez, Ginal, Humphrey, Kennedy, Salazar; also SENATOR(S) Lambert and Court, Aguilar, Crowder, Donovan, Fenberg, Fields, Garcia, Gardner, Guzman, Jahn, Jones, Kefalas, Kerr, Lundberg, Marble, Martinez Humenik, Merrifield, Moreno, Neville T., Tate, Todd, Williams A., Zenzinger, Grantham. CONCERNING STRENGTHENING PROTECTIONS FOR CONSUMER DATA PRIVACY. Be it enacted by the General Assembly of the State of Colorado: SECTION 1. In Colorado Revised Statutes, 6-1-713, amend (1), (2), and (3) as follows: 6-1-713. Disposal of personal identifying information - policy - definitions. (1) Each public and private COVERED entity in the state that uses MAINTAINS PAPER OR ELECTRONIC documents during the course of NOTE: This bill has been prepared for the signatures of the appropriate legislative officers and the Governor. To determine whether the Governor has signed the bill or taken other action on it, please consult the legislative status sheet, the legislative history, or the Session Laws. ________ Capital letters or bold & italic numbers indicate new material added to existing statutes; dashes through words indicate deletions from existing statutes and such material not part of act.

Upload: others

Post on 06-May-2020

5 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

HOUSE BILL 18-1128

BY REPRESENTATIVE(S) Wist and Bridges, Arndt, Becker K., Buckner,Coleman, Danielson, Esgar, Exum, Foote, Garnett, Gray, Hamner, Hansen,Herod, Hooton, Jackson, Kraft-Tharp, Landgraf, Lawrence, Lee, Liston,Lontine, McLachlan, Melton, Michaelson Jenet, Neville P., Pettersen,Rankin, Ransom, Reyher, Roberts, Rosenthal, Saine, Sias, Singer, Valdez,Van Winkle, Weissman, Winkler, Winter, Young, Duran, Benavidez, Ginal,Humphrey, Kennedy, Salazar;also SENATOR(S) Lambert and Court, Aguilar, Crowder, Donovan,Fenberg, Fields, Garcia, Gardner, Guzman, Jahn, Jones, Kefalas, Kerr,Lundberg, Marble, Martinez Humenik, Merrifield, Moreno, Neville T.,Tate, Todd, Williams A., Zenzinger, Grantham.

CONCERNING STRENGTHENING PROTECTIONS FOR CONSUMER DATAPRIVACY.

Be it enacted by the General Assembly of the State of Colorado:

SECTION 1. In Colorado Revised Statutes, 6-1-713, amend (1),(2), and (3) as follows:

6-1-713. Disposal of personal identifying information - policy -definitions. (1) Each public and private COVERED entity in the state thatuses MAINTAINS PAPER OR ELECTRONIC documents during the course of

NOTE: This bill has been prepared for the signatures of the appropriate legislativeofficers and the Governor. To determine whether the Governor has signed the billor taken other action on it, please consult the legislative status sheet, the legislativehistory, or the Session Laws.

________Capital letters or bold & italic numbers indicate new material added to existing statutes; dashesthrough words indicate deletions from existing statutes and such material not part of act.

Page 2: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

business that contain personal identifying information shall develop aWRITTEN policy for the destruction or proper disposal of THOSE paper ANDELECTRONIC documents containing personal identifying information.UNLESS OTHERWISE REQUIRED BY STATE OR FEDERAL LAW OR REGULATION,THE WRITTEN POLICY MUST REQUIRE THAT, WHEN SUCH PAPER ORELECTRONIC DOCUMENTS ARE NO LONGER NEEDED, THE COVERED ENTITYSHALL DESTROY OR ARRANGE FOR THE DESTRUCTION OF SUCH PAPER ANDELECTRONIC DOCUMENTS WITHIN ITS CUSTODY OR CONTROL THAT CONTAINPERSONAL IDENTIFYING INFORMATION BY SHREDDING, ERASING, OROTHERWISE MODIFYING THE PERSONAL IDENTIFYING INFORMATION IN THEPAPER OR ELECTRONIC DOCUMENTS TO MAKE THE PERSONAL IDENTIFYINGINFORMATION UNREADABLE OR INDECIPHERABLE THROUGH ANY MEANS.

(2) For the purposes of this section AND SECTION 6-1-713.5:

(a) "COVERED ENTITY" MEANS A PERSON, AS DEFINED IN SECTION6-1-102 (6), THAT MAINTAINS, OWNS, OR LICENSES PERSONAL IDENTIFYINGINFORMATION IN THE COURSE OF THE PERSON'S BUSINESS, VOCATION, OROCCUPATION. "COVERED ENTITY" DOES NOT INCLUDE A PERSON ACTING ASA THIRD-PARTY SERVICE PROVIDER AS DEFINED IN SECTION 6-1-713.5.

(b) "Personal identifying information" means a social securitynumber; a personal identification number; a password; a pass code; anofficial state or government-issued driver's license or identification cardnumber; a government passport number; biometric data, AS DEFINED INSECTION 6-1-716 (1)(a); an employer, student, or military identificationnumber; or a financial transaction device, AS DEFINED IN SECTION 18-5-701(3).

(3) A public entity that is managing its records in compliance withpart 1 of article 80 of title 24, C.R.S., shall be deemed to have met itsobligations under subsection (1) of this section A COVERED ENTITY THAT ISREGULATED BY STATE OR FEDERAL LAW AND THAT MAINTAINS PROCEDURESFOR DISPOSAL OF PERSONAL IDENTIFYING INFORMATION PURSUANT TO THELAWS, RULES, REGULATIONS, GUIDANCES, OR GUIDELINES ESTABLISHED BYITS STATE OR FEDERAL REGULATOR IS IN COMPLIANCE WITH THIS SECTION.

SECTION 2. In Colorado Revised Statutes, add 6-1-713.5 asfollows:

PAGE 2-HOUSE BILL 18-1128

Page 3: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

6-1-713.5. Protection of personal identifying information -definition. (1) TO PROTECT PERSONAL IDENTIFYING INFORMATION, ASDEFINED IN SECTION 6-1-713 (2), FROM UNAUTHORIZED ACCESS, USE,MODIFICATION, DISCLOSURE, OR DESTRUCTION, A COVERED ENTITY THATMAINTAINS, OWNS, OR LICENSES PERSONAL IDENTIFYING INFORMATION OF ANINDIVIDUAL RESIDING IN THE STATE SHALL IMPLEMENT AND MAINTAINREASONABLE SECURITY PROCEDURES AND PRACTICES THAT AREAPPROPRIATE TO THE NATURE OF THE PERSONAL IDENTIFYING INFORMATIONAND THE NATURE AND SIZE OF THE BUSINESS AND ITS OPERATIONS.

(2) UNLESS A COVERED ENTITY AGREES TO PROVIDE ITS OWNSECURITY PROTECTION FOR THE INFORMATION IT DISCLOSES TO ATHIRD-PARTY SERVICE PROVIDER, THE COVERED ENTITY SHALL REQUIRETHAT THE THIRD-PARTY SERVICE PROVIDER IMPLEMENT AND MAINTAINREASONABLE SECURITY PROCEDURES AND PRACTICES THAT ARE:

(a) APPROPRIATE TO THE NATURE OF THE PERSONAL IDENTIFYINGINFORMATION DISCLOSED TO THE THIRD-PARTY SERVICE PROVIDER; AND

(b) REASONABLY DESIGNED TO HELP PROTECT THE PERSONALIDENTIFYING INFORMATION FROM UNAUTHORIZED ACCESS, USE,MODIFICATION, DISCLOSURE, OR DESTRUCTION.

(3) FOR THE PURPOSES OF SUBSECTION (2) OF THIS SECTION, ADISCLOSURE OF PERSONAL IDENTIFYING INFORMATION DOES NOT INCLUDEDISCLOSURE OF INFORMATION TO A THIRD PARTY UNDER CIRCUMSTANCESWHERE THE COVERED ENTITY RETAINS PRIMARY RESPONSIBILITY FORIMPLEMENTING AND MAINTAINING REASONABLE SECURITY PROCEDURES ANDPRACTICES APPROPRIATE TO THE NATURE OF THE PERSONAL IDENTIFYINGINFORMATION AND THE COVERED ENTITY IMPLEMENTS AND MAINTAINSTECHNICAL CONTROLS THAT ARE REASONABLY DESIGNED TO:

(a) HELP PROTECT THE PERSONAL IDENTIFYING INFORMATION FROMUNAUTHORIZED ACCESS, USE, MODIFICATION, DISCLOSURE, ORDESTRUCTION; OR

(b) EFFECTIVELY ELIMINATE THE THIRD PARTY'S ABILITY TO ACCESSTHE PERSONAL IDENTIFYING INFORMATION, NOTWITHSTANDING THE THIRDPARTY'S PHYSICAL POSSESSION OF THE PERSONAL IDENTIFYINGINFORMATION.

PAGE 3-HOUSE BILL 18-1128

Page 4: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

(4) A COVERED ENTITY THAT IS REGULATED BY STATE OR FEDERALLAW AND THAT MAINTAINS PROCEDURES FOR PROTECTION OF PERSONALIDENTIFYING INFORMATION PURSUANT TO THE LAWS, RULES, REGULATIONS,GUIDANCES, OR GUIDELINES ESTABLISHED BY ITS STATE OR FEDERALREGULATOR IS IN COMPLIANCE WITH THIS SECTION.

(5) FOR THE PURPOSES OF THIS SECTION, "THIRD-PARTY SERVICEPROVIDER" MEANS AN ENTITY THAT HAS BEEN CONTRACTED TO MAINTAIN,STORE, OR PROCESS PERSONAL IDENTIFYING INFORMATION ON BEHALF OF ACOVERED ENTITY.

SECTION 3. In Colorado Revised Statutes, 6-1-716, amend (2),(3), and (4); repeal and reenact, with amendments, (1); and add (5) asfollows:

6-1-716. Notification of security breach. (1) Definitions. AS USEDIN THIS SECTION, UNLESS THE CONTEXT OTHERWISE REQUIRES:

(a) "BIOMETRIC DATA" MEANS UNIQUE BIOMETRIC DATA GENERATEDFROM MEASUREMENTS OR ANALYSIS OF HUMAN BODY CHARACTERISTICS FORTHE PURPOSE OF AUTHENTICATING THE INDIVIDUAL WHEN HE OR SHEACCESSES AN ONLINE ACCOUNT.

(b) "COVERED ENTITY" MEANS A PERSON, AS DEFINED IN SECTION6-1-102 (6), THAT MAINTAINS, OWNS, OR LICENSES PERSONAL INFORMATIONIN THE COURSE OF THE PERSON'S BUSINESS, VOCATION, OR OCCUPATION."COVERED ENTITY" DOES NOT INCLUDE A PERSON ACTING AS A THIRD-PARTYSERVICE PROVIDER AS DEFINED IN SUBSECTION (1)(i) OF THIS SECTION.

(c) "DETERMINATION THAT A SECURITY BREACH OCCURRED" MEANSTHE POINT IN TIME AT WHICH THERE IS SUFFICIENT EVIDENCE TO CONCLUDETHAT A SECURITY BREACH HAS TAKEN PLACE.

(d) "ENCRYPTED" MEANS RENDERED UNUSABLE, UNREADABLE, ORINDECIPHERABLE TO AN UNAUTHORIZED PERSON THROUGH A SECURITYTECHNOLOGY OR METHODOLOGY GENERALLY ACCEPTED IN THE FIELD OFINFORMATION SECURITY.

(e) "MEDICAL INFORMATION" MEANS ANY INFORMATION ABOUT ACONSUMER'S MEDICAL OR MENTAL HEALTH TREATMENT OR DIAGNOSIS BY A

PAGE 4-HOUSE BILL 18-1128

Page 5: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

HEALTH CARE PROFESSIONAL.

(f) "NOTICE" MEANS:

(I) WRITTEN NOTICE TO THE POSTAL ADDRESS LISTED IN THERECORDS OF THE COVERED ENTITY;

(II) TELEPHONIC NOTICE;

(III) ELECTRONIC NOTICE, IF A PRIMARY MEANS OF COMMUNICATIONBY THE COVERED ENTITY WITH A COLORADO RESIDENT IS BY ELECTRONICMEANS OR THE NOTICE PROVIDED IS CONSISTENT WITH THE PROVISIONSREGARDING ELECTRONIC RECORDS AND SIGNATURES SET FORTH IN THEFEDERAL "ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCEACT", 15 U.S.C. SEC. 7001 ET SEQ.; OR

(IV) SUBSTITUTE NOTICE, IF THE COVERED ENTITY REQUIRED TOPROVIDE NOTICE DEMONSTRATES THAT THE COST OF PROVIDING NOTICE WILLEXCEED TWO HUNDRED FIFTY THOUSAND DOLLARS, THE AFFECTED CLASS OFPERSONS TO BE NOTIFIED EXCEEDS TWO HUNDRED FIFTY THOUSANDCOLORADO RESIDENTS, OR THE COVERED ENTITY DOES NOT HAVESUFFICIENT CONTACT INFORMATION TO PROVIDE NOTICE. SUBSTITUTENOTICE CONSISTS OF ALL OF THE FOLLOWING:

(A) E-MAIL NOTICE IF THE COVERED ENTITY HAS E-MAIL ADDRESSESFOR THE MEMBERS OF THE AFFECTED CLASS OF COLORADO RESIDENTS;

(B) CONSPICUOUS POSTING OF THE NOTICE ON THE WEBSITE PAGE OFTHE COVERED ENTITY IF THE COVERED ENTITY MAINTAINS ONE; AND

(C) NOTIFICATION TO MAJOR STATEWIDE MEDIA.

(g) (I) (A) "PERSONAL INFORMATION" MEANS A COLORADORESIDENT'S FIRST NAME OR FIRST INITIAL AND LAST NAME IN COMBINATIONWITH ANY ONE OR MORE OF THE FOLLOWING DATA ELEMENTS THAT RELATETO THE RESIDENT, WHEN THE DATA ELEMENTS ARE NOT ENCRYPTED,REDACTED, OR SECURED BY ANY OTHER METHOD RENDERING THE NAME ORTHE ELEMENT UNREADABLE OR UNUSABLE: SOCIAL SECURITY NUMBER;STUDENT, MILITARY, OR PASSPORT IDENTIFICATION NUMBER; DRIVER'SLICENSE NUMBER OR IDENTIFICATION CARD NUMBER; MEDICAL

PAGE 5-HOUSE BILL 18-1128

Page 6: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

INFORMATION; HEALTH INSURANCE IDENTIFICATION NUMBER; OR BIOMETRICDATA;

(B) A COLORADO RESIDENT'S USERNAME OR E-MAIL ADDRESS, INCOMBINATION WITH A PASSWORD OR SECURITY QUESTIONS AND ANSWERS,THAT WOULD PERMIT ACCESS TO AN ONLINE ACCOUNT; OR

(C) A COLORADO RESIDENT'S ACCOUNT NUMBER OR CREDIT ORDEBIT CARD NUMBER IN COMBINATION WITH ANY REQUIRED SECURITY CODE,ACCESS CODE, OR PASSWORD THAT WOULD PERMIT ACCESS TO THATACCOUNT.

(II) "PERSONAL INFORMATION" DOES NOT INCLUDE PUBLICLYAVAILABLE INFORMATION THAT IS LAWFULLY MADE AVAILABLE TO THEGENERAL PUBLIC FROM FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDSOR WIDELY DISTRIBUTED MEDIA.

(h) "SECURITY BREACH" MEANS THE UNAUTHORIZED ACQUISITION OFUNENCRYPTED COMPUTERIZED DATA THAT COMPROMISES THE SECURITY,CONFIDENTIALITY, OR INTEGRITY OF PERSONAL INFORMATION MAINTAINEDBY A COVERED ENTITY. GOOD FAITH ACQUISITION OF PERSONALINFORMATION BY AN EMPLOYEE OR AGENT OF A COVERED ENTITY FOR THECOVERED ENTITY'S BUSINESS PURPOSES IS NOT A SECURITY BREACH IF THEPERSONAL INFORMATION IS NOT USED FOR A PURPOSE UNRELATED TO THELAWFUL OPERATION OF THE BUSINESS OR IS NOT SUBJECT TO FURTHERUNAUTHORIZED DISCLOSURE.

(i) "THIRD-PARTY SERVICE PROVIDER" MEANS AN ENTITY THAT HASBEEN CONTRACTED TO MAINTAIN, STORE, OR PROCESS PERSONALINFORMATION ON BEHALF OF A COVERED ENTITY.

(2) Disclosure of breach. (a) An individual or a commercial ACOVERED entity that conducts business in Colorado and that MAINTAINS,owns, or licenses computerized data that includes personal informationabout a resident of Colorado shall, when it becomes aware of a breach ofthe security of the system BECOMES AWARE THAT A SECURITY BREACH MAYHAVE OCCURRED, conduct in good faith a prompt investigation to determinethe likelihood that personal information has been or will be misused. Theindividual or the commercial COVERED entity shall give notice as soon aspossible to the affected Colorado resident RESIDENTS unless the

PAGE 6-HOUSE BILL 18-1128

Page 7: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

investigation determines that the misuse of information about a Coloradoresident has not occurred and is not reasonably likely to occur. Notice shallMUST be made in the most expedient time possible and withoutunreasonable delay, BUT NOT LATER THAN THIRTY DAYS AFTER THE DATE OFDETERMINATION THAT A SECURITY BREACH OCCURRED, consistent with thelegitimate needs of law enforcement and consistent with any measuresnecessary to determine the scope of the breach and to restore the reasonableintegrity of the computerized data system.

(a.2) IN THE CASE OF A BREACH OF PERSONAL INFORMATION, NOTICEREQUIRED BY THIS SUBSECTION (2) TO AFFECTED COLORADO RESIDENTSMUST INCLUDE, BUT NEED NOT BE LIMITED TO, THE FOLLOWINGINFORMATION:

(I) THE DATE, ESTIMATED DATE, OR ESTIMATED DATE RANGE OF THESECURITY BREACH;

(II) A DESCRIPTION OF THE PERSONAL INFORMATION THAT WASACQUIRED OR REASONABLY BELIEVED TO HAVE BEEN ACQUIRED AS PART OFTHE SECURITY BREACH;

(III) INFORMATION THAT THE RESIDENT CAN USE TO CONTACT THECOVERED ENTITY TO INQUIRE ABOUT THE SECURITY BREACH;

(IV) THE TOLL-FREE NUMBERS, ADDRESSES, AND WEBSITES FORCONSUMER REPORTING AGENCIES;

(V) THE TOLL-FREE NUMBER, ADDRESS, AND WEBSITE FOR THEFEDERAL TRADE COMMISSION; AND

(VI) A STATEMENT THAT THE RESIDENT CAN OBTAIN INFORMATIONFROM THE FEDERAL TRADE COMMISSION AND THE CREDIT REPORTINGAGENCIES ABOUT FRAUD ALERTS AND SECURITY FREEZES.

(a.3) IF AN INVESTIGATION BY THE COVERED ENTITY PURSUANT TOSUBSECTION (2)(a) OF THIS SECTION DETERMINES THAT THE TYPE OFPERSONAL INFORMATION DESCRIBED IN SUBSECTION (1)(g)(I)(B) OF THISSECTION HAS BEEN MISUSED OR IS REASONABLY LIKELY TO BE MISUSED,THEN THE COVERED ENTITY SHALL, IN ADDITION TO THE NOTICE OTHERWISEREQUIRED BY SUBSECTION (2)(a.2) OF THIS SECTION AND IN THE MOST

PAGE 7-HOUSE BILL 18-1128

Page 8: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

EXPEDIENT TIME POSSIBLE AND WITHOUT UNREASONABLE DELAY, BUT NOTLATER THAN THIRTY DAYS AFTER THE DATE OF DETERMINATION THAT ASECURITY BREACH OCCURRED, CONSISTENT WITH THE LEGITIMATE NEEDS OFLAW ENFORCEMENT AND CONSISTENT WITH ANY MEASURES NECESSARY TODETERMINE THE SCOPE OF THE BREACH AND TO RESTORE THE REASONABLEINTEGRITY OF THE COMPUTERIZED DATA SYSTEM:

(I) DIRECT THE PERSON WHOSE PERSONAL INFORMATION HAS BEENBREACHED TO PROMPTLY CHANGE HIS OR HER PASSWORD AND SECURITYQUESTION OR ANSWER, AS APPLICABLE, OR TO TAKE OTHER STEPSAPPROPRIATE TO PROTECT THE ONLINE ACCOUNT WITH THE COVERED ENTITYAND ALL OTHER ONLINE ACCOUNTS FOR WHICH THE PERSON WHOSEPERSONAL INFORMATION HAS BEEN BREACHED USES THE SAME USERNAMEOR E-MAIL ADDRESS AND PASSWORD OR SECURITY QUESTION OR ANSWER.

(II) FOR LOG-IN CREDENTIALS OF AN E-MAIL ACCOUNT FURNISHED BYTHE COVERED ENTITY, THE COVERED ENTITY SHALL NOT COMPLY WITH THISSECTION BY PROVIDING THE SECURITY BREACH NOTIFICATION TO THATE-MAIL ADDRESS, BUT MAY INSTEAD COMPLY WITH THIS SECTION BYPROVIDING NOTICE THROUGH OTHER METHODS, AS DEFINED IN SUBSECTION(1)(f) OF THIS SECTION, OR BY CLEAR AND CONSPICUOUS NOTICE DELIVEREDTO THE RESIDENT ONLINE WHEN THE RESIDENT IS CONNECTED TO THE ONLINEACCOUNT FROM AN INTERNET PROTOCOL ADDRESS OR ONLINE LOCATIONFROM WHICH THE COVERED ENTITY KNOWS THE RESIDENT CUSTOMARILYACCESSES THE ACCOUNT.

(a.4) THE BREACH OF ENCRYPTED OR OTHERWISE SECURED PERSONALINFORMATION MUST BE DISCLOSED IN ACCORDANCE WITH THIS SECTION IFTHE CONFIDENTIAL PROCESS, ENCRYPTION KEY, OR OTHER MEANS TODECIPHER THE SECURED INFORMATION WAS ALSO ACQUIRED IN THESECURITY BREACH OR WAS REASONABLY BELIEVED TO HAVE BEENACQUIRED.

(a.5) A COVERED ENTITY THAT IS REQUIRED TO PROVIDE NOTICE TOAFFECTED COLORADO RESIDENTS PURSUANT TO THIS SUBSECTION (2) ISPROHIBITED FROM CHARGING THE COST OF PROVIDING SUCH NOTICE TO SUCHRESIDENTS.

(a.6) NOTHING IN THIS SUBSECTION (2) PROHIBITS THE NOTICEDESCRIBED IN THIS SUBSECTION (2) FROM CONTAINING ADDITIONAL

PAGE 8-HOUSE BILL 18-1128

Page 9: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

INFORMATION, INCLUDING ANY INFORMATION THAT MAY BE REQUIRED BYSTATE OR FEDERAL LAW.

(b) An individual or a commercial entity that maintains IF ACOVERED ENTITY USES A THIRD-PARTY SERVICE PROVIDER TO MAINTAINcomputerized data that includes personal information, that the individual orthe commercial entity does not own or license THEN THE THIRD-PARTYSERVICE PROVIDER shall give notice to and cooperate with the owner orlicensee of the information of any breach of the security of the systemimmediately THE COVERED ENTITY IN THE EVENT OF A SECURITY BREACHTHAT COMPROMISES SUCH COMPUTERIZED DATA, INCLUDING NOTIFYING THECOVERED ENTITY OF ANY SECURITY BREACH IN THE MOST EXPEDIENT TIMEPOSSIBLE, AND WITHOUT UNREASONABLE DELAY following discovery of aSECURITY breach, if misuse of personal information about a Coloradoresident occurred or is likely to occur. Cooperation includes sharing withthe owner or licensee COVERED ENTITY information relevant to theSECURITY breach; except that such cooperation shall not be deemed to DOESNOT require the disclosure of confidential business information or tradesecrets.

(c) Notice required by this section may be delayed if a lawenforcement agency determines that the notice will impede a criminalinvestigation and the law enforcement agency has notified the individual orcommercial COVERED entity that conducts business in Colorado not to sendnotice required by this section. Notice required by this section shall MUSTbe made in good faith, IN THE MOST EXPEDIENT TIME POSSIBLE AND withoutunreasonable delay and as soon as possible BUT NOT LATER THAN THIRTYDAYS after the law enforcement agency determines that notification will nolonger impede the investigation and has notified the individual orcommercial COVERED entity that conducts business in Colorado that it isappropriate to send the notice required by this section.

(d) If an individual or commercial A COVERED entity is required tonotify more than one thousand Colorado residents of a SECURITY breach ofthe security of the system pursuant to this section, the individual orcommercial COVERED entity shall also notify, IN THE MOST EXPEDIENT TIMEPOSSIBLE AND without unreasonable delay, all consumer reporting agenciesthat compile and maintain files on consumers on a nationwide basis, asdefined by THE FEDERAL "FAIR CREDIT REPORTING ACT", 15 U.S.C. sec.1681a (p), of the anticipated date of the notification to the residents and the

PAGE 9-HOUSE BILL 18-1128

Page 10: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

approximate number of residents who are to be notified. Nothing in thisparagraph (d) shall be construed to require SUBSECTION (2)(d) REQUIRES theindividual or commercial COVERED entity to provide to the consumerreporting agency the names or other personal information of SECURITYbreach notice recipients. This paragraph (d) shall SUBSECTION (2)(d) DOESnot apply to a person COVERED ENTITY who is subject to Title V of thefederal "Gramm-Leach-Bliley Act", 15 U.S.C. sec. 6801 et seq.

(e) A WAIVER OF THESE NOTIFICATION RIGHTS OR RESPONSIBILITIESIS VOID AS AGAINST PUBLIC POLICY.

(f) (I) THE COVERED ENTITY THAT MUST NOTIFY COLORADORESIDENTS OF A DATA BREACH PURSUANT TO THIS SECTION SHALL PROVIDENOTICE OF ANY SECURITY BREACH TO THE COLORADO ATTORNEY GENERALIN THE MOST EXPEDIENT TIME POSSIBLE AND WITHOUT UNREASONABLEDELAY, BUT NOT LATER THAN THIRTY DAYS AFTER THE DATE OFDETERMINATION THAT A SECURITY BREACH OCCURRED, IF THE SECURITYBREACH IS REASONABLY BELIEVED TO HAVE AFFECTED FIVE HUNDREDCOLORADO RESIDENTS OR MORE, UNLESS THE INVESTIGATION DETERMINESTHAT THE MISUSE OF INFORMATION ABOUT A COLORADO RESIDENT HAS NOTOCCURRED AND IS NOT LIKELY TO OCCUR.

(II) THE COLORADO ATTORNEY GENERAL SHALL DESIGNATE APERSON OR PERSONS AS A POINT OF CONTACT FOR FUNCTIONS SET FORTH INTHIS SUBSECTION (2)(f) AND SHALL MAKE THE CONTACT INFORMATION FORTHAT PERSON OR THOSE PERSONS PUBLIC ON THE ATTORNEY GENERAL'SWEBSITE AND BY ANY OTHER APPROPRIATE MEANS.

(g) THE BREACH OF ENCRYPTED OR OTHERWISE SECURED PERSONALINFORMATION MUST BE DISCLOSED IN ACCORDANCE WITH THIS SECTION IFTHE CONFIDENTIAL PROCESS, ENCRYPTION KEY, OR OTHER MEANS TODECIPHER THE SECURED INFORMATION WAS ALSO ACQUIRED OR WASREASONABLY BELIEVED TO HAVE BEEN ACQUIRED IN THE SECURITY BREACH.

(3) Procedures deemed in compliance with notice requirements.(a) Under PURSUANT TO this section, an individual or a commercial ACOVERED entity that maintains its own notification procedures as part of aninformation security policy for the treatment of personal information andwhose procedures are otherwise consistent with the timing requirements ofthis section shall be deemed to be IS in compliance with the notice

PAGE 10-HOUSE BILL 18-1128

Page 11: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

requirements of this section if the individual or the commercial COVEREDentity notifies affected Colorado customers RESIDENTS in accordance withits policies in the event of a breach. of security of the system SECURITYBREACH; EXCEPT THAT NOTICE TO THE ATTORNEY GENERAL IS STILLREQUIRED PURSUANT TO SUBSECTION (2)(f) OF THIS SECTION.

(b) An individual or a commercial A COVERED entity that isregulated by state or federal law and that maintains procedures for aSECURITY breach of the security of the system pursuant to the laws, rules,regulations, guidances, or guidelines established by its primary or functionalstate or federal regulator is deemed to be in compliance with this section;EXCEPT THAT NOTICE TO THE ATTORNEY GENERAL IS STILL REQUIREDPURSUANT TO SUBSECTION (2)(f) OF THIS SECTION. IN THE CASE OF ACONFLICT BETWEEN THE TIME PERIOD FOR NOTICE TO INDIVIDUALS THAT ISREQUIRED PURSUANT TO THIS SUBSECTION (3) AND THE APPLICABLE STATEOR FEDERAL LAW OR REGULATION, THE LAW OR REGULATION WITH THESHORTEST TIME FRAME FOR NOTICE TO THE INDIVIDUAL CONTROLS.

(4) Violations. The attorney general may bring an action in law orequity to address violations of this section, SECTION 6-1-713, OR SECTION6-1-713.5, and for other relief that may be appropriate to ensure compliancewith this section or to recover direct economic damages resulting from aviolation, or both. The provisions of this section are not exclusive and donot relieve an individual or a commercial A COVERED entity subject to thissection from compliance with all other applicable provisions of law.

(5) Attorney general criminal authority. UPON RECEIPT OF NOTICEPURSUANT TO SUBSECTION (2) OF THIS SECTION, AND WITH EITHER AREQUEST FROM THE GOVERNOR TO PROSECUTE A PARTICULAR CASE OR WITHTHE APPROVAL OF THE DISTRICT ATTORNEY WITH JURISDICTION TOPROSECUTE CASES IN THE JUDICIAL DISTRICT WHERE A CASE COULD BEBROUGHT, THE ATTORNEY GENERAL HAS THE AUTHORITY TO PROSECUTEANY CRIMINAL VIOLATIONS OF SECTION 18-5.5-102.

SECTION 4. In Colorado Revised Statutes, add article 73 to title24 as follows:

ARTICLE 73Security Breaches and Personal Information

PAGE 11-HOUSE BILL 18-1128

Page 12: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

24-73-101. Governmental entity - disposal of personalidentifying information - policy - definitions. (1) EACH GOVERNMENTALENTITY IN THE STATE THAT MAINTAINS PAPER OR ELECTRONIC DOCUMENTSDURING THE COURSE OF BUSINESS THAT CONTAIN PERSONAL IDENTIFYINGINFORMATION SHALL DEVELOP A WRITTEN POLICY FOR THE DESTRUCTION ORPROPER DISPOSAL OF THOSE PAPER AND ELECTRONIC DOCUMENTSCONTAINING PERSONAL IDENTIFYING INFORMATION. UNLESS OTHERWISEREQUIRED BY STATE OR FEDERAL LAW OR REGULATION, THE WRITTEN POLICYMUST REQUIRE THAT, WHEN SUCH PAPER OR ELECTRONIC DOCUMENTS ARENO LONGER NEEDED, THE GOVERNMENTAL ENTITY DESTROY OR ARRANGEFOR THE DESTRUCTION OF SUCH PAPER AND ELECTRONIC DOCUMENTS WITHINITS CUSTODY OR CONTROL THAT CONTAIN PERSONAL IDENTIFYINGINFORMATION BY SHREDDING, ERASING, OR OTHERWISE MODIFYING THEPERSONAL IDENTIFYING INFORMATION IN THE PAPER OR ELECTRONICDOCUMENTS TO MAKE THE PERSONAL IDENTIFYING INFORMATIONUNREADABLE OR INDECIPHERABLE THROUGH ANY MEANS.

(2) A GOVERNMENTAL ENTITY THAT IS REGULATED BY STATE ORFEDERAL LAW AND THAT MAINTAINS PROCEDURES FOR DISPOSAL OFPERSONAL IDENTIFYING INFORMATION PURSUANT TO THE LAWS, RULES,REGULATIONS, GUIDANCES, OR GUIDELINES ESTABLISHED BY ITS STATE ORFEDERAL REGULATOR IS IN COMPLIANCE WITH THIS SECTION.

(3) UNLESS A GOVERNMENTAL ENTITY SPECIFICALLY CONTRACTSWITH A RECYCLER OR DISPOSAL FIRM FOR DESTRUCTION OF DOCUMENTSTHAT CONTAIN PERSONAL IDENTIFYING INFORMATION, NOTHING IN THISSECTION REQUIRES A RECYCLER OR DISPOSAL FIRM TO VERIFY THAT THEDOCUMENTS CONTAINED IN THE PRODUCTS IT RECEIVES FOR DISPOSAL ORRECYCLING HAVE BEEN PROPERLY DESTROYED OR DISPOSED OF AS REQUIREDBY THIS SECTION.

(4) FOR THE PURPOSES OF THIS SECTION AND SECTION 24-73-102,UNLESS THE CONTEXT OTHERWISE REQUIRES:

(a) "GOVERNMENTAL ENTITY" MEANS THE STATE AND ANY STATEAGENCY OR INSTITUTION, INCLUDING THE JUDICIAL DEPARTMENT, COUNTY,CITY AND COUNTY, INCORPORATED CITY OR TOWN, SCHOOL DISTRICT,SPECIAL IMPROVEMENT DISTRICT, AUTHORITY, AND EVERY OTHER KIND OFDISTRICT, INSTRUMENTALITY, OR POLITICAL SUBDIVISION OF THE STATEORGANIZED PURSUANT TO LAW. "GOVERNMENTAL ENTITY" INCLUDES

PAGE 12-HOUSE BILL 18-1128

Page 13: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

ENTITIES GOVERNED BY HOME RULE CHARTERS. "GOVERNMENTAL ENTITY"DOES NOT INCLUDE AN ENTITY ACTING AS A THIRD-PARTY SERVICE PROVIDERAS DEFINED IN SECTION 24-73-102.

(b) "PERSONAL IDENTIFYING INFORMATION" MEANS A SOCIALSECURITY NUMBER; A PERSONAL IDENTIFICATION NUMBER; A PASSWORD; APASS CODE; AN OFFICIAL STATE OR GOVERNMENT-ISSUED DRIVER'S LICENSEOR IDENTIFICATION CARD NUMBER; A GOVERNMENT PASSPORT NUMBER;BIOMETRIC DATA, AS DEFINED IN SECTION 24-73-103 (1)(a); AN EMPLOYER,STUDENT, OR MILITARY IDENTIFICATION NUMBER; OR A FINANCIALTRANSACTION DEVICE, AS DEFINED IN SECTION 18-5-701 (3).

24-73-102. Governmental entity - protection of personalidentifying information - definition. (1) TO PROTECT PERSONALIDENTIFYING INFORMATION, AS DEFINED IN SECTION 24-73-101 (4)(b), FROMUNAUTHORIZED ACCESS, USE, MODIFICATION, DISCLOSURE, OR DESTRUCTION,A GOVERNMENTAL ENTITY THAT MAINTAINS, OWNS, OR LICENSES PERSONALIDENTIFYING INFORMATION SHALL IMPLEMENT AND MAINTAIN REASONABLESECURITY PROCEDURES AND PRACTICES THAT ARE APPROPRIATE TO THENATURE OF THE PERSONAL IDENTIFYING INFORMATION AND THE NATURE ANDSIZE OF THE GOVERNMENTAL ENTITY.

(2) UNLESS A GOVERNMENTAL ENTITY AGREES TO PROVIDE ITS OWNSECURITY PROTECTION FOR THE INFORMATION IT DISCLOSES TO ATHIRD-PARTY SERVICE PROVIDER, THE GOVERNMENTAL ENTITY SHALLREQUIRE THAT THE THIRD-PARTY SERVICE PROVIDER IMPLEMENT ANDMAINTAIN REASONABLE SECURITY PROCEDURES AND PRACTICES THAT ARE:

(a) APPROPRIATE TO THE NATURE OF THE PERSONAL IDENTIFYINGINFORMATION DISCLOSED TO THE THIRD-PARTY SERVICE PROVIDER; AND

(b) REASONABLY DESIGNED TO HELP PROTECT THE PERSONALIDENTIFYING INFORMATION FROM UNAUTHORIZED ACCESS, USE,MODIFICATION, DISCLOSURE, OR DESTRUCTION.

(3) FOR THE PURPOSES OF SUBSECTION (2) OF THIS SECTION, ADISCLOSURE OF PERSONAL IDENTIFYING INFORMATION DOES NOT INCLUDEDISCLOSURE OF INFORMATION TO A THIRD PARTY UNDER CIRCUMSTANCESWHERE THE GOVERNMENTAL ENTITY RETAINS PRIMARY RESPONSIBILITY FORIMPLEMENTING AND MAINTAINING REASONABLE SECURITY PROCEDURES AND

PAGE 13-HOUSE BILL 18-1128

Page 14: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

PRACTICES APPROPRIATE TO THE NATURE OF THE PERSONAL IDENTIFYINGINFORMATION AND THE GOVERNMENTAL ENTITY IMPLEMENTS ANDMAINTAINS TECHNICAL CONTROLS REASONABLY DESIGNED TO:

(a) HELP PROTECT THE PERSONAL IDENTIFYING INFORMATION FROMUNAUTHORIZED ACCESS, MODIFICATION, DISCLOSURE, OR DESTRUCTION; OR

(b) EFFECTIVELY ELIMINATE THE THIRD PARTY'S ABILITY TO ACCESSTHE PERSONAL IDENTIFYING INFORMATION, NOTWITHSTANDING THE THIRDPARTY'S PHYSICAL POSSESSION OF THE PERSONAL IDENTIFYINGINFORMATION.

(4) A GOVERNMENTAL ENTITY THAT IS REGULATED BY STATE ORFEDERAL LAW AND THAT MAINTAINS PROCEDURES FOR STORAGE OFPERSONAL IDENTIFYING INFORMATION PURSUANT TO THE LAWS, RULES,REGULATIONS, GUIDANCES, OR GUIDELINES ESTABLISHED BY ITS STATE ORFEDERAL REGULATOR IS IN COMPLIANCE WITH THIS SECTION.

(5) FOR THE PURPOSES OF THIS SECTION, "THIRD-PARTY SERVICEPROVIDER" MEANS AN ENTITY THAT HAS BEEN CONTRACTED TO MAINTAIN,STORE, OR PROCESS PERSONAL IDENTIFYING INFORMATION ON BEHALF OF AGOVERNMENTAL ENTITY.

24-73-103. Governmental entity - notification of security breach.(1) Definitions. AS USED IN THIS SECTION, UNLESS THE CONTEXTOTHERWISE REQUIRES:

(a) "BIOMETRIC DATA" MEANS UNIQUE BIOMETRIC DATA GENERATEDFROM MEASUREMENTS OR ANALYSIS OF HUMAN BODY CHARACTERISTICS FORTHE PURPOSE OF AUTHENTICATING THE INDIVIDUAL WHEN HE OR SHEACCESSES AN ONLINE ACCOUNT.

(b) "DETERMINATION THAT A SECURITY BREACH OCCURRED" MEANSTHE POINT IN TIME AT WHICH THERE IS SUFFICIENT EVIDENCE TO CONCLUDETHAT A SECURITY BREACH HAS TAKEN PLACE.

(c) "ENCRYPTED" MEANS RENDERED UNUSABLE, UNREADABLE, ORINDECIPHERABLE TO AN UNAUTHORIZED PERSON THROUGH A SECURITYTECHNOLOGY OR METHODOLOGY GENERALLY ACCEPTED IN THE FIELD OFINFORMATION SECURITY.

PAGE 14-HOUSE BILL 18-1128

Page 15: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

(d) "GOVERNMENTAL ENTITY" MEANS THE STATE AND ANY STATEAGENCY OR INSTITUTION, INCLUDING THE JUDICIAL DEPARTMENT, COUNTY,CITY AND COUNTY, INCORPORATED CITY OR TOWN, SCHOOL DISTRICT,SPECIAL IMPROVEMENT DISTRICT, AUTHORITY, AND EVERY OTHER KIND OFDISTRICT, INSTRUMENTALITY, OR POLITICAL SUBDIVISION OF THE STATEORGANIZED PURSUANT TO LAW. "GOVERNMENTAL ENTITY" INCLUDESENTITIES GOVERNED BY HOME RULE CHARTERS. "GOVERNMENTAL ENTITY"DOES NOT INCLUDE AN ENTITY ACTING AS A THIRD-PARTY SERVICE PROVIDERAS DEFINED IN SUBSECTION (1)(i) OF THIS SECTION.

(e) "MEDICAL INFORMATION" MEANS ANY INFORMATION ABOUT ACONSUMER'S MEDICAL OR MENTAL HEALTH TREATMENT OR DIAGNOSIS BY AHEALTH CARE PROFESSIONAL.

(f) "NOTICE" MEANS:

(I) WRITTEN NOTICE TO THE POSTAL ADDRESS LISTED IN THERECORDS OF THE GOVERNMENTAL ENTITY;

(II) TELEPHONIC NOTICE;

(III) ELECTRONIC NOTICE, IF A PRIMARY MEANS OF COMMUNICATIONBY THE GOVERNMENTAL ENTITY WITH A COLORADO RESIDENT IS BYELECTRONIC MEANS OR THE NOTICE PROVIDED IS CONSISTENT WITH THEPROVISIONS REGARDING ELECTRONIC RECORDS AND SIGNATURES SET FORTHIN THE FEDERAL "ELECTRONIC SIGNATURES IN GLOBAL AND NATIONALCOMMERCE ACT", 15 U.S.C. SEC. 7001 ET SEQ.; OR

(IV) SUBSTITUTE NOTICE, IF THE GOVERNMENTAL ENTITY REQUIREDTO PROVIDE NOTICE DEMONSTRATES THAT THE COST OF PROVIDING NOTICEWILL EXCEED TWO HUNDRED FIFTY THOUSAND DOLLARS, THE AFFECTEDCLASS OF PERSONS TO BE NOTIFIED EXCEEDS TWO HUNDRED FIFTYTHOUSAND COLORADO RESIDENTS, OR THE GOVERNMENTAL ENTITY DOESNOT HAVE SUFFICIENT CONTACT INFORMATION TO PROVIDE NOTICE.SUBSTITUTE NOTICE CONSISTS OF ALL OF THE FOLLOWING:

(A) E-MAIL NOTICE IF THE GOVERNMENTAL ENTITY HAS E-MAILADDRESSES FOR THE MEMBERS OF THE AFFECTED CLASS OF COLORADORESIDENTS;

PAGE 15-HOUSE BILL 18-1128

Page 16: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

(B) CONSPICUOUS POSTING OF THE NOTICE ON THE WEBSITE PAGE OFTHE GOVERNMENTAL ENTITY IF THE GOVERNMENTAL ENTITY MAINTAINSONE; AND

(C) NOTIFICATION TO MAJOR STATEWIDE MEDIA.

(g) (I) (A) "PERSONAL INFORMATION" MEANS A COLORADORESIDENT'S FIRST NAME OR FIRST INITIAL AND LAST NAME IN COMBINATIONWITH ANY ONE OR MORE OF THE FOLLOWING DATA ELEMENTS THAT RELATETO THE RESIDENT, WHEN THE DATA ELEMENTS ARE NOT ENCRYPTED,REDACTED, OR SECURED BY ANY OTHER METHOD RENDERING THE NAME ORTHE ELEMENT UNREADABLE OR UNUSABLE: SOCIAL SECURITY NUMBER;DRIVER'S LICENSE NUMBER OR IDENTIFICATION CARD NUMBER; STUDENT,MILITARY, OR PASSPORT IDENTIFICATION NUMBER; MEDICAL INFORMATION;HEALTH INSURANCE IDENTIFICATION NUMBER; OR BIOMETRIC DATA, ASDEFINED IN SUBSECTION (1)(a) OF THIS SECTION;

(B) A COLORADO RESIDENT'S USERNAME OR E-MAIL ADDRESS, INCOMBINATION WITH A PASSWORD OR SECURITY QUESTIONS AND ANSWERS,THAT WOULD PERMIT ACCESS TO AN ONLINE ACCOUNT; OR

(C) A COLORADO RESIDENT'S ACCOUNT NUMBER OR CREDIT ORDEBIT CARD NUMBER IN COMBINATION WITH ANY REQUIRED SECURITY CODE,ACCESS CODE, OR PASSWORD THAT WOULD PERMIT ACCESS TO THATACCOUNT.

(II) "PERSONAL INFORMATION" DOES NOT INCLUDE PUBLICLYAVAILABLE INFORMATION THAT IS LAWFULLY MADE AVAILABLE TO THEGENERAL PUBLIC FROM FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDSOR WIDELY DISTRIBUTED MEDIA.

(h) "SECURITY BREACH" MEANS THE UNAUTHORIZED ACQUISITION OFUNENCRYPTED COMPUTERIZED DATA THAT COMPROMISES THE SECURITY,CONFIDENTIALITY, OR INTEGRITY OF PERSONAL INFORMATION MAINTAINEDBY A GOVERNMENTAL ENTITY. GOOD FAITH ACQUISITION OF PERSONALINFORMATION BY AN EMPLOYEE OR AGENT OF A GOVERNMENTAL ENTITY FORTHE PURPOSES OF THE GOVERNMENTAL ENTITY IS NOT A SECURITY BREACHIF THE PERSONAL INFORMATION IS NOT USED FOR A PURPOSE UNRELATED TOTHE LAWFUL GOVERNMENT PURPOSE OR IS NOT SUBJECT TO FURTHERUNAUTHORIZED DISCLOSURE.

PAGE 16-HOUSE BILL 18-1128

Page 17: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

(i) "THIRD-PARTY SERVICE PROVIDER" MEANS AN ENTITY THAT HASBEEN CONTRACTED TO MAINTAIN, STORE, OR PROCESS PERSONALINFORMATION ON BEHALF OF A GOVERNMENTAL ENTITY.

(2) Disclosure of breach. (a) A GOVERNMENTAL ENTITY THATMAINTAINS, OWNS, OR LICENSES COMPUTERIZED DATA THAT INCLUDESPERSONAL INFORMATION ABOUT A RESIDENT OF COLORADO SHALL, WHEN ITBECOMES AWARE THAT A SECURITY BREACH MAY HAVE OCCURRED,CONDUCT IN GOOD FAITH A PROMPT INVESTIGATION TO DETERMINE THELIKELIHOOD THAT PERSONAL INFORMATION HAS BEEN OR WILL BE MISUSED.THE GOVERNMENTAL ENTITY SHALL GIVE NOTICE TO THE AFFECTEDCOLORADO RESIDENTS UNLESS THE INVESTIGATION DETERMINES THAT THEMISUSE OF INFORMATION ABOUT A COLORADO RESIDENT HAS NOT OCCURREDAND IS NOT REASONABLY LIKELY TO OCCUR. NOTICE MUST BE MADE IN THEMOST EXPEDIENT TIME POSSIBLE AND WITHOUT UNREASONABLE DELAY, BUTNOT LATER THAN THIRTY DAYS AFTER THE DATE OF DETERMINATION THATA SECURITY BREACH OCCURRED, CONSISTENT WITH THE LEGITIMATE NEEDSOF LAW ENFORCEMENT AND CONSISTENT WITH ANY MEASURES NECESSARYTO DETERMINE THE SCOPE OF THE BREACH AND TO RESTORE THEREASONABLE INTEGRITY OF THE COMPUTERIZED DATA SYSTEM.

(b) IN THE CASE OF A BREACH OF PERSONAL INFORMATION, NOTICEREQUIRED BY THIS SUBSECTION (2) TO AFFECTED COLORADO RESIDENTSMUST INCLUDE, BUT NEED NOT BE LIMITED TO, THE FOLLOWINGINFORMATION:

(I) THE DATE, ESTIMATED DATE, OR ESTIMATED DATE RANGE OF THESECURITY BREACH;

(II) A DESCRIPTION OF THE PERSONAL INFORMATION THAT WASACQUIRED OR REASONABLY BELIEVED TO HAVE BEEN ACQUIRED AS PART OFTHE SECURITY BREACH;

(III) INFORMATION THAT THE RESIDENT CAN USE TO CONTACT THEGOVERNMENTAL ENTITY TO INQUIRE ABOUT THE SECURITY BREACH;

(IV) THE TOLL-FREE NUMBERS, ADDRESSES, AND WEBSITES FORCONSUMER REPORTING AGENCIES;

(V) THE TOLL-FREE NUMBER, ADDRESS, AND WEBSITE FOR THE

PAGE 17-HOUSE BILL 18-1128

Page 18: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

FEDERAL TRADE COMMISSION; AND

(VI) A STATEMENT THAT THE RESIDENT CAN OBTAIN INFORMATIONFROM THE FEDERAL TRADE COMMISSION AND THE CREDIT REPORTINGAGENCIES ABOUT FRAUD ALERTS AND SECURITY FREEZES.

(c) IF AN INVESTIGATION BY THE GOVERNMENTAL ENTITY PURSUANTTO SUBSECTION (2)(a) OF THIS SECTION DETERMINES THAT THE TYPE OFPERSONAL INFORMATION DESCRIBED IN SUBSECTION (1)(g)(I)(B) OF THISSECTION HAS BEEN MISUSED OR IS REASONABLY LIKELY TO BE MISUSED,THEN THE GOVERNMENTAL ENTITY SHALL, IN ADDITION TO THE NOTICEOTHERWISE REQUIRED BY SUBSECTION (2)(b) OF THIS SECTION AND IN THEMOST EXPEDIENT TIME POSSIBLE AND WITHOUT UNREASONABLE DELAY, BUTNOT LATER THAN THIRTY DAYS AFTER THE DATE OF DETERMINATION THATA SECURITY BREACH OCCURRED, CONSISTENT WITH THE LEGITIMATE NEEDSOF LAW ENFORCEMENT AND CONSISTENT WITH ANY MEASURES NECESSARYTO DETERMINE THE SCOPE OF THE BREACH AND TO RESTORE THEREASONABLE INTEGRITY OF THE COMPUTERIZED DATA SYSTEM:

(I) DIRECT THE PERSON WHOSE PERSONAL INFORMATION HAS BEENBREACHED TO PROMPTLY CHANGE HIS OR HER PASSWORD AND SECURITYQUESTION OR ANSWER, AS APPLICABLE, OR TO TAKE OTHER STEPSAPPROPRIATE TO PROTECT THE ONLINE ACCOUNT WITH THE PERSON ORBUSINESS AND ALL OTHER ONLINE ACCOUNTS FOR WHICH THE PERSON WHOSEPERSONAL INFORMATION HAS BEEN BREACHED USES THE SAME USERNAMEOR E-MAIL ADDRESS AND PASSWORD OR SECURITY QUESTION OR ANSWER.

(II) FOR LOG-IN CREDENTIALS OF AN E-MAIL ACCOUNT FURNISHED BYTHE GOVERNMENTAL ENTITY, THE GOVERNMENTAL ENTITY SHALL NOTCOMPLY WITH THIS SECTION BY PROVIDING THE SECURITY BREACHNOTIFICATION TO THAT E-MAIL ADDRESS, BUT MAY INSTEAD COMPLY WITHTHIS SECTION BY PROVIDING NOTICE THROUGH OTHER METHODS, AS DEFINEDIN SUBSECTION (1)(f) OF THIS SECTION, OR BY CLEAR AND CONSPICUOUSNOTICE DELIVERED TO THE RESIDENT ONLINE WHEN THE RESIDENT ISCONNECTED TO THE ONLINE ACCOUNT FROM AN INTERNET PROTOCOLADDRESS OR ONLINE LOCATION FROM WHICH THE GOVERNMENTAL ENTITYKNOWS THE RESIDENT CUSTOMARILY ACCESSES THE ACCOUNT.

(d) THE BREACH OF ENCRYPTED OR OTHERWISE SECURED PERSONALINFORMATION MUST BE DISCLOSED IN ACCORDANCE WITH THIS SECTION IF

PAGE 18-HOUSE BILL 18-1128

Page 19: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

THE CONFIDENTIAL PROCESS, ENCRYPTION KEY, OR OTHER MEANS TODECIPHER THE SECURED INFORMATION WAS ALSO ACQUIRED IN THESECURITY BREACH OR WAS REASONABLY BELIEVED TO HAVE BEENACQUIRED.

(e) A GOVERNMENTAL ENTITY THAT IS REQUIRED TO PROVIDE NOTICEPURSUANT TO THIS SUBSECTION (2) IS PROHIBITED FROM CHARGING THE COSTOF PROVIDING SUCH NOTICE TO INDIVIDUALS.

(f) NOTHING IN THIS SUBSECTION (2) PROHIBITS THE NOTICEDESCRIBED IN THIS SUBSECTION (2) FROM CONTAINING ADDITIONALINFORMATION, INCLUDING ANY INFORMATION THAT MAY BE REQUIRED BYSTATE OR FEDERAL LAW.

(g) IF A GOVERNMENTAL ENTITY USES A THIRD-PARTY SERVICEPROVIDER TO MAINTAIN COMPUTERIZED DATA THAT INCLUDES PERSONALINFORMATION, THEN THE THIRD-PARTY SERVICE PROVIDER SHALL GIVENOTICE TO AND COOPERATE WITH THE GOVERNMENTAL ENTITY IN THE EVENTOF A SECURITY BREACH THAT COMPROMISES SUCH COMPUTERIZED DATA,INCLUDING NOTIFYING THE GOVERNMENTAL ENTITY OF ANY SECURITYBREACH IN THE MOST EXPEDIENT TIME AND WITHOUT UNREASONABLE DELAYFOLLOWING DISCOVERY OF A SECURITY BREACH, IF MISUSE OF PERSONALINFORMATION ABOUT A COLORADO RESIDENT OCCURRED OR IS LIKELY TOOCCUR. COOPERATION INCLUDES SHARING WITH THE COVERED ENTITYINFORMATION RELEVANT TO THE SECURITY BREACH; EXCEPT THAT SUCHCOOPERATION DOES NOT REQUIRE THE DISCLOSURE OF CONFIDENTIALBUSINESS INFORMATION OR TRADE SECRETS.

(h) NOTICE REQUIRED BY THIS SECTION MAY BE DELAYED IF A LAWENFORCEMENT AGENCY DETERMINES THAT THE NOTICE WILL IMPEDE ACRIMINAL INVESTIGATION AND THE LAW ENFORCEMENT AGENCY HASNOTIFIED THE GOVERNMENTAL ENTITY THAT OPERATES IN COLORADO NOTTO SEND NOTICE REQUIRED BY THIS SECTION. NOTICE REQUIRED BY THISSECTION MUST BE MADE IN GOOD FAITH, IN THE MOST EXPEDIENT TIMEPOSSIBLE AND WITHOUT UNREASONABLE DELAY, BUT NOT LATER THANTHIRTY DAYS AFTER THE LAW ENFORCEMENT AGENCY DETERMINES THATNOTIFICATION WILL NO LONGER IMPEDE THE INVESTIGATION, AND HASNOTIFIED THE GOVERNMENTAL ENTITY THAT IT IS APPROPRIATE TO SEND THENOTICE REQUIRED BY THIS SECTION.

PAGE 19-HOUSE BILL 18-1128

Page 20: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

(i) IF A GOVERNMENTAL ENTITY IS REQUIRED TO NOTIFY MORE THANONE THOUSAND COLORADO RESIDENTS OF A SECURITY BREACH PURSUANTTO THIS SECTION, THE GOVERNMENTAL ENTITY SHALL ALSO NOTIFY, IN THEMOST EXPEDIENT TIME POSSIBLE AND WITHOUT UNREASONABLE DELAY, ALLCONSUMER REPORTING AGENCIES THAT COMPILE AND MAINTAIN FILES ONCONSUMERS ON A NATIONWIDE BASIS, AS DEFINED BY THE FEDERAL "FAIRCREDIT REPORTING ACT", 15 U.S.C. SEC. 1681a (p), OF THE ANTICIPATEDDATE OF THE NOTIFICATION TO THE RESIDENTS AND THE APPROXIMATENUMBER OF RESIDENTS WHO ARE TO BE NOTIFIED. NOTHING IN THISSUBSECTION (2)(i) REQUIRES THE GOVERNMENTAL ENTITY TO PROVIDE TOTHE CONSUMER REPORTING AGENCY THE NAMES OR OTHER PERSONALINFORMATION OF SECURITY BREACH NOTICE RECIPIENTS. THIS SUBSECTION(2)(i) DOES NOT APPLY TO A PERSON WHO IS SUBJECT TO TITLE V OF THEFEDERAL "GRAMM-LEACH-BLILEY ACT", 15 U.S.C. SEC. 6801 ET SEQ.

(j) A WAIVER OF THESE NOTIFICATION RIGHTS OR RESPONSIBILITIESIS VOID AS AGAINST PUBLIC POLICY.

(k) (I) THE GOVERNMENTAL ENTITY THAT MUST NOTIFY COLORADORESIDENTS OF A DATA BREACH PURSUANT TO THIS SECTION SHALL PROVIDENOTICE OF ANY SECURITY BREACH TO THE COLORADO ATTORNEY GENERALIN THE MOST EXPEDIENT TIME POSSIBLE AND WITHOUT UNREASONABLEDELAY, BUT NOT LATER THAN THIRTY DAYS AFTER THE DATE OFDETERMINATION THAT A SECURITY BREACH OCCURRED, IF THE SECURITYBREACH IS REASONABLY BELIEVED TO HAVE AFFECTED FIVE HUNDREDCOLORADO RESIDENTS OR MORE, UNLESS THE INVESTIGATION DETERMINESTHAT THE MISUSE OF INFORMATION ABOUT A COLORADO RESIDENT HAS NOTOCCURRED AND IS NOT LIKELY TO OCCUR.

(II) THE COLORADO ATTORNEY GENERAL SHALL DESIGNATE APERSON OR PERSONS AS A POINT OF CONTACT FOR FUNCTIONS SET FORTH INTHIS SUBSECTION (2)(k) AND SHALL MAKE THE CONTACT INFORMATION FORTHAT PERSON OR THOSE PERSONS PUBLIC ON THE ATTORNEY GENERAL'SWEBSITE AND BY ANY OTHER APPROPRIATE MEANS.

(l) THE BREACH OF ENCRYPTED OR OTHERWISE SECURED PERSONALINFORMATION MUST BE DISCLOSED IN ACCORDANCE WITH THIS SECTION IFTHE CONFIDENTIAL PROCESS, ENCRYPTION KEY, OR OTHER MEANS TODECIPHER THE SECURED INFORMATION WAS ALSO ACQUIRED OR WASREASONABLY BELIEVED TO HAVE BEEN ACQUIRED IN THE SECURITY BREACH.

PAGE 20-HOUSE BILL 18-1128

Page 21: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

(3) Procedures deemed in compliance with notice requirements.(a) PURSUANT TO THIS SECTION, A GOVERNMENTAL ENTITY THATMAINTAINS ITS OWN NOTIFICATION PROCEDURES AS PART OF ANINFORMATION SECURITY POLICY FOR THE TREATMENT OF PERSONALINFORMATION AND WHOSE PROCEDURES ARE OTHERWISE CONSISTENT WITHTHE TIMING REQUIREMENTS OF THIS SECTION IS IN COMPLIANCE WITH THENOTICE REQUIREMENTS OF THIS SECTION IF THE GOVERNMENTAL ENTITYNOTIFIES AFFECTED COLORADO RESIDENTS IN ACCORDANCE WITH ITSPOLICIES IN THE EVENT OF A SECURITY BREACH; EXCEPT THAT NOTICE TO THEATTORNEY GENERAL IS STILL REQUIRED PURSUANT TO SUBSECTION (2)(k) OFTHIS SECTION.

(b) A GOVERNMENTAL ENTITY THAT IS REGULATED BY STATE ORFEDERAL LAW AND THAT MAINTAINS PROCEDURES FOR A SECURITY BREACHPURSUANT TO THE LAWS, RULES, REGULATIONS, GUIDANCES, OR GUIDELINESESTABLISHED BY ITS STATE OR FEDERAL REGULATOR IS IN COMPLIANCE WITHTHIS SECTION; EXCEPT THAT NOTICE TO THE ATTORNEY GENERAL IS STILLREQUIRED PURSUANT TO SUBSECTION (2)(k) OF THIS SECTION. IN THE CASEOF A CONFLICT BETWEEN THE TIME PERIOD FOR NOTICE TO INDIVIDUALS, THELAW OR REGULATION WITH THE SHORTEST NOTICE PERIOD CONTROLS.

(4) Violations. THE ATTORNEY GENERAL MAY BRING AN ACTION FORINJUNCTIVE RELIEF TO ENFORCE THE PROVISIONS OF THIS SECTION.

(5) Attorney general criminal authority. UPON RECEIPT OF NOTICEPURSUANT TO SUBSECTION (2) OF THIS SECTION, AND WITH EITHER AREQUEST FROM THE GOVERNOR TO PROSECUTE A PARTICULAR CASE OR WITHTHE APPROVAL OF THE DISTRICT ATTORNEY WITH JURISDICTION TOPROSECUTE CASES IN THE JUDICIAL DISTRICT WHERE A CASE COULD BEBROUGHT, THE ATTORNEY GENERAL HAS THE AUTHORITY TO PROSECUTEANY CRIMINAL VIOLATIONS OF SECTION 18-5.5-102.

SECTION 5. Effective date. This act takes effect September 1,2018.

SECTION 6. Safety clause. The general assembly hereby finds,

PAGE 21-HOUSE BILL 18-1128

Page 22: NOTE: This bill has been prepared for the signatures of ......6-1-713.5. protection of personal identifying information - definition. (1) to protect personal identifying information,

determines, and declares that this act is necessary for the immediatepreservation of the public peace, health, and safety.

____________________________ ____________________________Crisanta Duran Kevin J. GranthamSPEAKER OF THE HOUSE PRESIDENT OFOF REPRESENTATIVES THE SENATE

____________________________ ____________________________Marilyn Eddins Effie AmeenCHIEF CLERK OF THE HOUSE SECRETARY OFOF REPRESENTATIVES THE SENATE

APPROVED________________________________________

_________________________________________ John W. Hickenlooper GOVERNOR OF THE STATE OF COLORADO

PAGE 22-HOUSE BILL 18-1128


Personal Information and Introductions - Perpustakaan UT...menyiapkan kaset mata kuliah ini dan tape recorder. Setelah mendengarkan, Setelah mendengarkan, Anda diminta untuk melakukan

Personal Homepages

Personal Branding 20 03

1. Personal Renglon 011

Introduction au Personal Branding

Personal information Exercice 1

REBECCA KAMMERER By: Rebecca Kammerer. Personal Information Birthday: November 3rd, 1997 Family: Mom (Sherrie), Dad (David), Joe, Jon, Kristina, and

Personal branding étudiant

What happens to your personal information online?

_Enrique Gonzalez Personal Info

Drivers & Passengers Personal Accident Insurance

Personal kanban breizhcamp

Cover Personal Information Qualifications Training and ... · 2 ميحرلا نمحرلا الله مسب CURRICULUM VITAE Personal Information: Name: Nagi Zomrawi Mohammed Yousif

Marketing Internet & Personal Branding

Créez Votre Personal Brand

JavaBlend™ Blenderuseandcares.hamiltonbeach.com/files/840225600.pdf · frappuccino maker, and possibly result in personal injury. Maximum Wattage Information The wattage rating

e-Health: strategy and ongoing programs · 3. Develop health digital information services towards patients and citizens. 4. Open access to health data, respectful of personal information

Evaluacion Del Personal

MCS Personal Health › ocspr › documents › obamacare › planes › MC… · 1 MCS Personal Health MCS Life Insurance Company 5/2014 MCS Personal Health PLAN: [8010, 8030, 8011,

TR-203 Personal Tracker › soporte › Information › GlobalSat › TR... · Thank you for purchasing the GlobalSat TR-203 Personal Tracker. The GlobalSat TR-203 Personal Tracker

Le Personal Branding

Application of the Genetic Algorithms for Identifying the

Identifying efficient chemical-based nucleic acid transfection … · Identifying efficient chemical-based nucleic acid transfection compound for primary neurons and neuronal cell

CLONINGER CURRICULUM VITAE 2015 - inhn.org · 1 Archives July 16, 2015 CURRICULUM VITAE C. Robert Cloninger, MD, PhD April 2015 Personal Information: Sex: Male Birthplace: Beaumont,

Momento4_Gestion de personal

Fl701 Personal Tea Kettle

OPINION N° 98 Biometrics, identifying data and human rights · National Consultative Ethics Committee for Health and Life Sciences OPINION N° 98 Biometrics, identifying data and

Safety Information Renseignements relatifs à la sécurité ...Personal Computer / Ordinateur personnel / Computadora Personal / Computador Pessoal VGN-Z600 Series. 2 For customers

Cozy, a Personal PaaS

PERSONAL INFORMATION Giorgia Girotto …...Curriculum vitae PERSONAL INFORMATION Giorgia Girotto [email protected] Nationality Italian WORK EXPERIENCE 30/01/2019–Present

Calculs en composantes Équations - Personal …homepages.ulb.ac.be/~dleemans/mathf112/slide-cours-4.pdf · Calculs en composantes Information Guidance en mathématiques Dans quel

Personal branding

Personal branding - Wahid ROUHLI

Disque dur HP Personal Media Drive Manuel de l’utilisateurh10032.Éléments fournis avec le disque HP Personal Media Drive Les éléments livrés avec votre disque HP Personal Media

EUROPEAN CURRICULUM VITAE FORMAT€¦ · Page 1 - Curriculum vitae of Dr. Paolo Francesco Gallo EUROPEAN CURRICULUM VITAE FORMAT PERSONAL INFORMATION Name Gallo, Paolo Francesco Address