Serving Colorado's Counties

Technical Update vol. 25 no. 31 - Security Breaches and Personal Information

August 3, 2021

During the 2018 legislative session, the state of Colorado amended Colo. Rev. Stat. Ann § 6-1-716 (2006), to include governmental entities. The statute concerns how a person’s information (e.g., social security number, passport ID, medical information, password, username, email address, etc.) is stored, disposed of, and in the case of a data breach, how they are notified about the breach. The law went into effect on September 1, 2018.

The amended statute defines a governmental entity as: any state agency or institution, including the judicial department, county, city and county, incorporated city or town, school district, special improvement district, authority, and every other kind of district, instrumentality, or political subdivision of the state organized pursuant to law. Article 73, Section 24-73-101-(4)(a)”..

Written Policy Required

The amended statute requires that a governmental entity that keeps paper or electronic documents containing personal identifying information develop a written policy for the destruction or proper disposal of those documents after the information is no longer needed. Furthermore, counties must take “reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Colo. Rev. Stat. § 6-1-713.5(1). 

Expanded Breach Notification

When a county becomes aware that a breach of unencrypted computerized data has occurred, it must inform the affected parties within 30 days. Counties may delay the notification if law enforcement investigating the breach deems a delay necessary for their investigation; however, counties must inform affected parties in the most expedient time possible without unreasonable delay once cleared to do so by law enforcement. Third-party service providers used by the county must be informed that their cooperation with the county and law enforcement is required in the case of a data breach.

Attorney General & Consumer Reporting

For data breaches that compromise the personal data of more than 500 Colorado citizens, the Colorado Attorney General’s Office must be notified no later than 30 days after the date the breach was discovered. For data breaches affecting more than 1000 Colorado residents, the governmental entity must also notify all nationwide consumer reporting agencies. Furthermore, any waivers of notification rights or responsibilities that residents may have signed before the amended legislation are void as they are now against public policy.

What This Means for Counties

Counties should ensure that they have a written policy detailing the safe disposal of electronic and paper records containing personal identifying information and ensure that they are taking reasonable security precautions to protect that information and comply with the notification requirement. For more information or for a sample policy, please contact CTSI at 303 861 0507.

A PDF of this Technical Update is available here.

News & Updates

Technical Update vol. 26 no. 3 - Healthy Families and Workplace Act - Supplemental Paid Leave

The Healthy Families and Workplace Act (HFWA), signed into law in July 2020, gave Coloradans paid sick leave. The HFWA requires almost all public and private employers in Colorado to […]

Read More
Technical Update vol. 26 no. 2 - Healthy Families and Workplace Act

When Governor Polis signed The Healthy Families and Workplace Act (HFWA) into law in July 2020, Colorado became one of 14 states and Washington DC to require paid sick leave. […]

Read More
Technical Update vol. 26 no. 1 - Required Workplace Notices

Like all other employers, local governments are required to post certain notices for their employees. The State of Colorado and the U.S. Department of Labor usually post a list of […]

Read More
Technical Update vol. 25 no. 52 - Pets in the Workplace

People love their pets. As a result, we are seeing more and more pets, especially dogs, being taken on planes, to stores, and even into the workplace. A pet-friendly workplace […]

Read More
December: Handwashing Awareness
Read More