New Colorado Law Sets 30-Day Requirement for Data Breach Notification

Colorado Gov. John Hickenlooper last week signed bipartisan bill HB18-1128, “Protections for Consumer Data Privacy,” officially setting in place some of the most stringent requirements for personal information data disposal and data breach notification in place in any U.S. state.

30-day notification window

The new law requires organizations to maintain a policy for disposing documents with consumer data and notify Colorado residents of any potential personal information exposure no later than 30 days after discovering a data breach. The 30-day notification window does not provide for any specific exemptions and is the shortest of any state.

The Colorado regulation is set to take effect Sept. 1.

The law additionally expands the state’s definition of “personally identifying information” and requires organizations to provide Colorado residents affected by data breaches with the estimated date of the breach and a description of what information was likely accessed.

Law firm Ballard Spahr partner David Stauss, who was part of the drafting process for the bill, noted that the expanded definition of “personally identifying information” raised objections from organizations guided by federal law restricting release of medical information. While Health Insurance Portability and Accountability Act (HIPAA) regulations require that organizations disclose potential data breaches within 60 days, Colorado’s new standards for personal information now requires HIPAA-guided organizations to comply with its 30-day window.

Data breach notification laws now in place all 50 states

Colorado’s law joins data breach notification laws now in place in all 50 states. Most states require that organizations notify state residents in a reasonable amount of time, but don’t mandate a specific time frame. “Of the states that have picked time frames, most have gone with 45 [days],” Stauss noted. “What Colorado wanted to be was extremely proactive on the time frame notice. They wanted to have a time frame that was reasonable, but was also appropriate to the risks involved.”

He said his firm is telling clients to get procedures to comply in place now. “You can’t spend two weeks trying to figure out how to conduct an investigation. That’s not a prompt investigation,” Stauss noted.

‘Broader and stricter’ laws

Amelia Gerlicher, counsel at Perkins Coie, said that while the breach notification window is perhaps novel right now, it’s part of a broader trend among states. “I think they’re getting broader and stricter over time,” she said of state data breach notification law.

State legislators’ recent urgency around data breach notification law may come as a response to a series of high-profile consumer data breaches. A hack at credit reporting group Equifax Inc. last year exposed personal records for nearly one in three U.S. residents; though the company retained counsel immediately after becoming aware of the breach, the company waited over a month to notify consumers, during which time a group of executives sold off $1.8 million worth of company stock shares.

In the last year, “I think a number of states were reacting to Equifax and saying, ‘We’ve got to do stuff here,’” Stauss said. At least eight states amended their data breach notification policies.

State laws aren’t coherent

But while there are some cross-state trends in data breach notification laws, Gerlicher also thinks state laws aren’t really cohering well. “They’re diverging. There seems to be one [state] every year or so that needs to be separately recognized that wouldn’t be accounted for in the typical response,” she said.

“I think that the states generally don’t think that’s a problem,” Gerlicher said. She tends to disagree, noting, “I don’t think its useful.”

Governor Hickenlooper signed Colorado’s law just weeks after the European Union’s sweeping General Data Protection Regulation (GDPR) took effect on May 25. The GDPR requires that companies serving EU residents adhere to stiff data privacy requirements, meaning that many U.S. companies with global operations are covered by the policy.

New GDPR-like regulation may be quickly headed to the United States at a state level. A proposed ballot measure set to go before California voters in November proposes to force companies to disclose what data they’ve collected on consumers, allow consumers to opt-in to third-party data sharing, and sue companies who fail to comply.

“States are the incubator for these laws right now,” Stauss said. “I think in the next legislative session, you’ll see a few states with these GDPR-like proposals. I think that’ll be the next thing.”

Americans accept certain degree of lack of privacy online

Although states may be migrating towards consumer-friendly privacy policies, Stauss wouldn’t bet on the federal government following suit anytime soon. Stauss, pointing to the congressional hearings over both Equifax’s data breach and Facebook Inc.’s disclosure of data to political consulting group Cambridge Analytica, said, “Huge companies, congressional hearings, and that doesn’t result in legislation? It’s hard to envision what’s going to do it on a federal level.”

While state laws may be shifting towards GDPR, Stauss thinks U.S. citizens are still operating on a totally different paradigm of privacy than much of Europe. “I think people have come to accept a certain degree of lack of privacy online. We’re also a society that takes Amazon and Google products, the Dot, Amazon Echo, and put them in our home,” he noted.

Gabrielle Orum Hernández is a reporter with ALM Media publications Legaltech News and the Daily Report covering legal technology startups and vendors. She can be reached by email at ghernandez@alm.com, or on Twitter at @GMOrumHernandez.