Data Protection Report - Norton Rose Fulbright

As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections.  On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs.

The proposed bill overlaps with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and state privacy laws. As discussed in the prior post, the initial bill expanded the categories of “personal information” that are covered by the state’s data breach notification law, including medical information, health insurance information, and biometric data.  The amended bill further expands the definition of “personal information” to include student, military, or passport identification numbers.

Additionally, the amended bill substantially revises the proposed notification time requirements.  Currently, under Colorado law entities must provide notice to affected individuals “in the most expedient time possible and without unreasonable delay.”  The initial draft bill would enhance state notice requirements by requiring that notice be provided no later than 45 days “from the date of the security breach.”  That initial provision created concerns because entities often do not know that there has been a loss or compromise of confidential information until long after the security breach.  Addressing these concerns, the amended bill provides that notice must be provided “not later than 30 days after the date of determination that a security breach occurred” and defines “determination that the security breach occurred” as “the point in time at which there is sufficient evidence to conclude that a security breach has taken place.”

This 30-day notice rule specifically conflicts with HIPAA’s timing requirements.  Under HIPAA, healthcare organizations must report breaches within 60 days after a breach is discovered.  The amended bill addresses this overlap by stating that “in the case of a conflict between the time period for notice to individuals [under Colorado law or federal regulation or law], the law or regulation with the shortest time frame for notice to the individual controls.”

The amended bill also changes the time frame for notifying the state Attorney General’s office of a security event involving 500 or more Colorado residents. Under the original draft bill, entities would have been required to notify the Attorney General’s office within seven days after discovery of the breach.  The amended legislation significantly expands that time frame to 30 days, and it clarifies that notice is not required if “the investigation determines that the misuse of information about a Colorado resident has not occurred and is not likely to occur.”

The amended bill has been referred to the Committee on Appropriations for consideration.  If the bill passes, Colorado would join Florida as the toughest states on breach notification timelines.  Generally, states have been steadily proposing modifications to privacy laws, given the increase in cyberattacks.  Data Protection Report will continue to monitor further developments in Colorado, as well as any other jurisdictions enhancing their data breach notification laws.

Special thanks to Robert Kantrowitz* for his assistance in drafting this post.

*Law Clerk–not admitted to practice law.