Legaltech news (sub. req.) reported on June 6th that Colorado Gov. John Hickenlooper signed bipartisan bill HB18-1128, "Protections for Consumer Data Privacy," officially putting in place some of the most stringent requirements for personal information data disposal and data breach notification in the United States. The law will take effect on September 1st.
The new law requires organizations to maintain a policy for disposing of documents with consumer data and notify Colorado residents of any potential personal information exposure no later than 30 days after discovering a data breach. And note well: The 30-day notification window does not provide for any specific exemptions and is the shortest of any state.
The law expands the state's definition of "personally identifying information" and requires organizations to provide Colorado residents affected by data breaches with the estimated date of the breach and a description of what information was likely accessed.
While Health Insurance Portability and Accountability Act (HIPAA) regulations require that organizations disclose potential data breaches within 60 days, Colorado's new standards for personal information now require HIPAA-guided organizations to comply with its 30-day window.
My prediction, and that of many others, is guided by the conviction that we have a dysfunctional Congress. The states are taking up some of the slack and are likely to come up with more privacy laws, some of them probably cousins to the European Union's GDPR.
Of course, having a patchwork of state laws makes not a whit of sense – but until Congress gets it act together, that's what businesses are having to deal with.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology