For CUs, New Colorado Data Breach Law Means More Time Policy-Watching

Starting on September 1, credit unions and other organizations doing business with Colorado residents will have just 30 days to notify members about data breaches, thanks to a new law in the state. The change highlights the growing importance among credit unions of keeping an eye on state-level data-breach regulations, according to one cybersecurity attorney.

In addition to its 30-day notification deadline, the law in Colorado, which the governor signed at the end of May, requires businesses to have written policies for disposing of certain data records, use reasonable security measures to protect personally identifying information and tell the Colorado Attorney General about breaches involving 500 or more Colorado residents.

The law’s 30-day breach notification deadline is the shortest in the country, and there are no exceptions for credit unions or nonprofits, said Greg Szewczyk, an attorney at Ballard Spahr in Denver, Colo.

“Financial institutions will be covered under this like everybody else,” he said.

“Essentially what it boils down to is if you’re an entity doing business in Colorado that has personal information on Colorado residents, you’re subject to the law,” he said.

Generally, credit unions and other entities that stay in compliance with their existing state and/or federal regulators are deemed in compliance with the Colorado law, Szewczyk added. But that’s not a reason to disregard the state’s new rules, he warned. An affected entity typically still only has 30 days to make breach notifications even if other regulations provide longer timelines, the attorney said.

Businesses that don’t provide notice in time or follow the other rules may have to answer to Colorado’s attorney general.

“I would just say for credit unions in particular, and for other entities that are used to being regulated with other entities that sometimes give them a full safe harbor, is make sure you’re aware of both the Colorado law and what it might require you to do that is changing when you’re responding to a multistate breach,” Szewczyk said.

Credit unions should also closely monitor what other states are doing with their breach-notification laws. Szewczyk said about 20% of states have changed their definitions of “personal information,” for example.

“States are trying to step up, and in some cases to one-up each other, and in other cases you could say trying to fill a gap since there hasn’t been any comprehensive federal legislation,” he said.

“Even though Colorado has some novel first-in-the-nation, most-aggressive-in-the-nation provisions now,” Szewczyk added, “there’s nothing to say that states who have a fall legislative session aren’t going to try to go even further.”