Colorado House Bill 18-1128 went into effect on September 1, 2018 however questions and implementation issues continue. Delays have more to do with the confusion between Colorado’s House Bill 18-1128, the new General Data Protection Regulation GDPR and ongoing data breaches that continue to haunt the public sector.
Adding to the confusion or pressure in Colorado is the bill went into effect immediately on September 1, 2018 whereas California’s data protection bill for example, is given till 2020 to meet the privacy data regulations.
Which Companies Need to Be Concerned
For this article we are not focusing on government entities instead on “covered entity” and personal information. A “covered entity” is:
Covered entities are those that “maintain, own or license personal identifying information” of Colorado residents “in the course of its business, vocation or occupation.” HB 18-1128.
What kind of Personal Data is Covered?
For those companies who fit the “covered entity” definition, they must implement policies that will ensure the protection and any potential vulnerabilities (breaches) to this data. Personal data is defined by:
(b) “Personal identifying information” means a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data, AS DEFINED IN SECTION 6-1-716 (1)(a); an employer, student, or military identification number; or a financial transaction device, AS DEFINED IN SECTION 18-5-701 (3).
Personal Identifying Information (PII) includes first and last names as well as:
- Social Security Number
- Student, Military or Passport PII
- Driver’s License Number
- Medical Information
- Health Insurance Numbers and Records
- Biometric Data
- Username, Passwords and Security Questions for Email Addresses
- Credit Card Information
The protection of personal data is included in not only a company’s databases but any 3rd party service provider who may also have the same data.
If There is a Breach, Then What?
The new regulations cover breaches for over 500+ Colorado residents. In this event, the company must notify its employees, the 500+ Colorado residents and the Colorado General Attorney within 30 days of the breach.
These regulations are slowly passing in other states which means if you are doing business in California, EU GDRP, and Massachusetts you must also meet those states and countries regulations when implemented.
Most Companies on Average Have Personal Identifying Information Well Over the 500 Threshold
The accumulations of email lists in marketing and sales in the last few years means anyone doing business most likely fits the profile for compliance. Which is one of the reasons for the ongoing questions. Many small business professionals and entrepreneurs think this regulation doesn’t affect them. We have found with every inquiry they “all” must adhere and implement a data protection policy. Our motto is if you want to be in business in Colorado stand up, respect your lists PII and thrive.
In summary the Colorado bill is profound in the swiftness a business must implement its personal data protection protocols. However due to the ever-expanding data breaches in the millions and the delay in notification of person’s PII is it no wonder?
Resources to help you understand more are the National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS). The original Colorado bill can be found here https://leg.colorado.gov/bills/hb18-1128.