Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: No later than 30 days
Government Notification Required: Yes, if 500+ residents notified
Scope of This Summary:
Notification requirements applicable to individuals or commercial entities that conduct business in state and own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if, after prompt investigation, the covered entity determines that misuse of resident's covered info has not occurred and is not reasonably likely to occur.
Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted, redacted, or secured by any other means rendering the name or element unreadable or unusable, so long as the encryption key is not reasonably believed to have also been acquired.
Form of Covered Info
- First name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Student, military, or passport identification number.
- Driver's license number or identification card number.
- Medical information, meaning any information about a consumer's medical or mental health treatment or diagnosis by a healthcare professional.
- Health insurance identification number.
- Biometric data, meaning unique biometric data generated from measurements or analysis of human body characteristics for the purposes of authenticating the individual when he or she accesses an online account.
- Personal information also means a Colorado resident's:
- Username or email address in combination with a password or security question and answer that would permit access to an online account; or
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account.
Consumer Notice Timing
Must be made no later than 30 days after the date of determination that the breach occurred, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Consumer Notice Method
By written notice, telephonic notice, or electronic notice (if it is the primary method of communication with the resident or is consistent with E-SIGN). Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
- Notice must include, but need not be limited to, the following information:
- The date, estimated date, or estimated date range of the security breach.
- A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach.
- Information that the resident can use to contact the covered entity to inquire about the security breach.
- The toll-free numbers, addresses, and websites for Consumer Reporting Agencies.
- The toll-free number, address, and website for the Federal Trade Commission.
- A statement that the resident can obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes.
- If an investigation determines that a resident's online account credentials (username or email address in combination with a password or security question and answer that would permit access to an online account) have been misused or are reasonably likely to be misused, then the covered entity shall additionally direct the person whose personal information has been breached to promptly:
- Change their password and security question and answer, as applicable, or
- Take other steps appropriate to protect the online account with the covered entity and all other online accounts for which the person whose personal information has been breached uses the same username or email address and password or security question or answer.
Notification may be delayed if law enforcement determines that notice will impede a criminal investigation, and law enforcement notifies the covered entity not to send notice. Notice must be made no later than 30 days after law enforcement informs the covered entity that delay is no longer required.
If covered entity reasonably believes that breach affected 500 or more residents, must also notify the Attorney General no later than 30 days after determination that breach occurred.
Consumer Reporting Agency Notice
If more than 1,000 residents notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of anticipated date of notice and approximate number of residents to be notified.
Exceptions for Other Laws
A covered entity is deemed in compliance with the statute if it maintains and complies with breach notification procedures established by the covered entity's state or federal regulator pursuant to applicable federal or state law, if the procedures are consistent with the timing requirements of the statute.
*Covered entities deemed in compliance must notify the attorney general if a breach occurs.
If you maintain covered info on behalf of another entity, you must notify it in the most expedient time possible and without unreasonable delay following discovery of a breach, if misuse of the covered info about a resident has occurred or is reasonably likely to occur. Must cooperate by sharing relevant information about breach but not disclosure of confidential business info or trade secrets.
Private Right of Action
The Colorado general breach notification statute does not provide for a private right of action.
Violations may result in civil penalties.