Serving Colorado's Counties

Technical Update vol. 25 no. 31 - Security Breaches and Personal Information

August 3, 2021

During the 2018 legislative session, the state of Colorado amended Colo. Rev. Stat. Ann § 6-1-716 (2006), to include governmental entities. The statute concerns how a person’s information (e.g., social security number, passport ID, medical information, password, username, email address, etc.) is stored, disposed of, and in the case of a data breach, how they are notified about the breach. The law went into effect on September 1, 2018.

The amended statute defines a governmental entity as: any state agency or institution, including the judicial department, county, city and county, incorporated city or town, school district, special improvement district, authority, and every other kind of district, instrumentality, or political subdivision of the state organized pursuant to law. Article 73, Section 24-73-101-(4)(a)”..

Written Policy Required

The amended statute requires that a governmental entity that keeps paper or electronic documents containing personal identifying information develop a written policy for the destruction or proper disposal of those documents after the information is no longer needed. Furthermore, counties must take “reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Colo. Rev. Stat. § 6-1-713.5(1). 

Expanded Breach Notification

When a county becomes aware that a breach of unencrypted computerized data has occurred, it must inform the affected parties within 30 days. Counties may delay the notification if law enforcement investigating the breach deems a delay necessary for their investigation; however, counties must inform affected parties in the most expedient time possible without unreasonable delay once cleared to do so by law enforcement. Third-party service providers used by the county must be informed that their cooperation with the county and law enforcement is required in the case of a data breach.

Attorney General & Consumer Reporting
Notification

For data breaches that compromise the personal data of more than 500 Colorado citizens, the Colorado Attorney General’s Office must be notified no later than 30 days after the date the breach was discovered. For data breaches affecting more than 1000 Colorado residents, the governmental entity must also notify all nationwide consumer reporting agencies. Furthermore, any waivers of notification rights or responsibilities that residents may have signed before the amended legislation are void as they are now against public policy.

What This Means for Counties

Counties should ensure that they have a written policy detailing the safe disposal of electronic and paper records containing personal identifying information and ensure that they are taking reasonable security precautions to protect that information and comply with the notification requirement. For more information or for a sample policy, please contact CTSI at 303 861 0507.

A PDF of this Technical Update is available here.

News & Updates

Technical Update vol. 26 no. 49 - Colorado Public Meetings & Executive Sessions

The Colorado Open Meetings Law (OML), part of the Colorado Sunshine Law, lays a set of ground rules for how public meetings must be conducted. The law was first passed […]

Read More
December 2022: NATIONAL SAFE TOYS AND GIFTS MONTH
Read More
Technical Update vol. 26 no. 48 - Workplace First Aid Kits

Emergency first aid kits are designed to treat injuries or sudden illnesses before emergency medical care is available. Kits should be stored in an easily accessible location and comply with […]

Read More
Technical Update vol. 26 no. 47 - FSAs, HRAs, and HSAs

Flexible Spending Accounts (FSAs), Health Reimbursement Arrangements (HRAs), and Health Savings Accounts (HSAs) are tax-advantaged accounts used to pay for certain qualified medical expenses such as co-pays, prescriptions, dental, and […]

Read More
Technical Update vol. 26 no. 46 - New Online Classes for CTSI Members

CTSI’s Loss Control Team provides high-quality, value-added services that help counties reduce their exposure to loss while improving the safety and efficiency of their workplaces. As part of CTSI’s continuing […]

Read More