C.R.S. Section 6-1-716
Notification of security breach

(1)

Definitions.
As used in this section, unless the context otherwise requires:

(a)

“Biometric data” means unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account.

(b)

“Covered entity” means a person, as defined in section 6-1-102 (6), that maintains, owns, or licenses personal information in the course of the person’s business, vocation, or occupation. “Covered entity” does not include a person acting as a third-party service provider as defined in subsection (1)(i) of this section.

(c)

“Determination that a security breach occurred” means the point in time at which there is sufficient evidence to conclude that a security breach has taken place.

(d)

“Encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.

(e)

“Medical information” means any information about a consumer’s medical or mental health treatment or diagnosis by a health-care professional.

(f)

“Notice” means:

(I)

Written notice to the postal address listed in the records of the covered entity;

(II)

Telephonic notice;

(III)

Electronic notice, if a primary means of communication by the covered entity with a Colorado resident is by electronic means or the notice provided is consistent with the provisions regarding electronic records and signatures set forth in the federal “Electronic Signatures in Global and National Commerce Act”, 15 U.S.C. sec. 7001 et seq.; or

(IV)

Substitute notice, if the covered entity required to provide notice demonstrates that the cost of providing notice will exceed two hundred fifty thousand dollars, the affected class of persons to be notified exceeds two hundred fifty thousand Colorado residents, or the covered entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:

(A)

E-mail notice if the covered entity has e-mail addresses for the members of the affected class of Colorado residents;

(B)

Conspicuous posting of the notice on the website page of the covered entity if the covered entity maintains one; and

(C)

Notification to major statewide media.
(g)(I)(A) “Personal information” means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: Social security number; student, military, or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data;

(B)

A Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; or

(C)

A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.

(II)

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

(h)

“Security breach” means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity. Good faith acquisition of personal information by an employee or agent of a covered entity for the covered entity’s business purposes is not a security breach if the personal information is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.

(i)

“Third-party service provider” means an entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity.

(2)

Disclosure of breach.

(a)

A covered entity that maintains, owns, or licenses computerized data that includes personal information about a resident of Colorado shall, when it becomes aware that a security breach may have occurred, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The covered entity shall give notice to the affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. Notice must be made in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

(a.2)

In the case of a breach of personal information, notice required by this subsection (2) to affected Colorado residents must include, but need not be limited to, the following information:

(I)

The date, estimated date, or estimated date range of the security breach;

(II)

A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach;

(III)

Information that the resident can use to contact the covered entity to inquire about the security breach;

(IV)

The toll-free numbers, addresses, and websites for consumer reporting agencies;

(V)

The toll-free number, address, and website for the federal trade commission; and

(VI)

A statement that the resident can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes.

(a.3)

If an investigation by the covered entity pursuant to subsection (2)(a) of this section determines that the type of personal information described in subsection (1)(g)(I)(B) of this section has been misused or is reasonably likely to be misused, then the covered entity shall, in addition to the notice otherwise required by subsection (2)(a.2) of this section and in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system:

(I)

Direct the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the covered entity and all other online accounts for which the person whose personal information has been breached uses the same username or e-mail address and password or security question or answer.

(II)

For log-in credentials of an e-mail account furnished by the covered entity, the covered entity shall not comply with this section by providing the security breach notification to that e-mail address, but may instead comply with this section by providing notice through other methods, as defined in subsection (1)(f) of this section, or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an internet protocol address or online location from which the covered entity knows the resident customarily accesses the account.

(a.4)

The breach of encrypted or otherwise secured personal information must be disclosed in accordance with this section if the confidential process, encryption key, or other means to decipher the secured information was also acquired in the security breach or was reasonably believed to have been acquired.

(a.5)

A covered entity that is required to provide notice to affected Colorado residents pursuant to this subsection (2) is prohibited from charging the cost of providing such notice to such residents.

(a.6)

Nothing in this subsection (2) prohibits the notice described in this subsection (2) from containing additional information, including any information that may be required by state or federal law.

(b)

If a covered entity uses a third-party service provider to maintain computerized data that includes personal information, then the third-party service provider shall give notice to and cooperate with the covered entity in the event of a security breach that compromises such computerized data, including notifying the covered entity of any security breach in the most expedient time possible, and without unreasonable delay following discovery of a security breach, if misuse of personal information about a Colorado resident occurred or is likely to occur. Cooperation includes sharing with the covered entity information relevant to the security breach; except that such cooperation does not require the disclosure of confidential business information or trade secrets.

(c)

Notice required by this section may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and the law enforcement agency has notified the covered entity that conducts business in Colorado not to send notice required by this section. Notice required by this section must be made in good faith, in the most expedient time possible and without unreasonable delay, but not later than thirty days after the law enforcement agency determines that notification will no longer impede the investigation and has notified the covered entity that conducts business in Colorado that it is appropriate to send the notice required by this section.

(d)

If a covered entity is required to notify more than one thousand Colorado residents of a security breach pursuant to this section, the covered entity shall also notify, in the most expedient time possible and without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by the federal “Fair Credit Reporting Act”, 15 U.S.C. sec. 1681a (p), of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. Nothing in this subsection (2)(d) requires the covered entity to provide to the consumer reporting agency the names or other personal information of security breach notice recipients. This subsection (2)(d) does not apply to a covered entity who is subject to Title V of the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. sec. 6801 et seq.

(e)

A waiver of these notification rights or responsibilities is void as against public policy.

(f)

Intentionally left blank —Ed.

(I)

The covered entity that must notify Colorado residents of a data breach pursuant to this section shall provide notice of any security breach to the Colorado attorney general in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred, if the security breach is reasonably believed to have affected five hundred Colorado residents or more, unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not likely to occur.

(II)

The Colorado attorney general shall designate a person or persons as a point of contact for functions set forth in this subsection (2)(f) and shall make the contact information for that person or those persons public on the attorney general’s website and by any other appropriate means.

(g)

The breach of encrypted or otherwise secured personal information must be disclosed in accordance with this section if the confidential process, encryption key, or other means to decipher the secured information was also acquired or was reasonably believed to have been acquired in the security breach.

(3)

Procedures deemed in compliance with notice requirements.

(a)

Pursuant to this section, a covered entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information and whose procedures are otherwise consistent with the timing requirements of this section is in compliance with the notice requirements of this section if the covered entity notifies affected Colorado residents in accordance with its policies in the event of a security breach; except that notice to the attorney general is still required pursuant to subsection (2)(f) of this section.

(b)

A covered entity that is regulated by state or federal law and that maintains procedures for a security breach pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section; except that notice to the attorney general is still required pursuant to subsection (2)(f) of this section. In the case of a conflict between the time period for notice to individuals that is required pursuant to this subsection (3) and the applicable state or federal law or regulation, the law or regulation with the shortest time frame for notice to the individual controls.

(4)

Violations.
The attorney general may bring an action in law or equity to address violations of this section, section 6-1-713, or section 6-1-713.5, and for other relief that may be appropriate to ensure compliance with this section or to recover direct economic damages resulting from a violation, or both. The provisions of this section are not exclusive and do not relieve a covered entity subject to this section from compliance with all other applicable provisions of law.

(5)

Attorney general criminal authority.
Upon receipt of notice pursuant to subsection (2) of this section, and with either a request from the governor to prosecute a particular case or with the approval of the district attorney with jurisdiction to prosecute cases in the judicial district where a case could be brought, the attorney general has the authority to prosecute any criminal violations of section 18-5.5-102.

Source: Section 6-1-716 — Notification of security breach, https://leg.­colorado.­gov/sites/default/files/images/olls/crs2023-title-06.­pdf (accessed Oct. 20, 2023).

6‑1‑101
Short title 6‑1‑102
Definitions 6‑1‑103
Attorney general and district attorneys concurrently responsible for enforcement 6‑1‑104
Cooperative reporting 6‑1‑105
Unfair or deceptive trade practices 6‑1‑106
Exclusions 6‑1‑107
Powers of attorney general and district attorneys 6‑1‑108
Subpoenas - hearings - rules 6‑1‑109
Remedies 6‑1‑110
Restraining orders - injunctions - assurances of discontinuance 6‑1‑111
Information and evidence confidential and inadmissible - when 6‑1‑112
Civil penalties 6‑1‑113
Civil actions - damages - other relief - class actions 6‑1‑114
Criminal penalties 6‑1‑115
Limitations 6‑1‑116
Investigation of unfair business practices by regulated persons - district attorney requests for records from licensing authorities - interagency agreements with attorney general - legislative declaration - definitions 6‑1‑201
Definitions 6‑1‑202
Prohibited act 6‑1‑203
Collision damage waiver form - requirements - failure to comply 6‑1‑204
Prohibited exclusion 6‑1‑205
Information to be disclosed in advertisements for rental agreements for rental motor vehicles 6‑1‑206
Additional mandatory charges - required disclosures - definitions 6‑1‑207
Adaptive equipment in rental motor vehicles - requirements - failure to comply - legislative declaration - definitions 6‑1‑301
Legislative declaration 6‑1‑302
Definitions 6‑1‑303
Registration of commercial telephone sellers 6‑1‑304
Unlawful telemarketing practices 6‑1‑305
Penalties 6‑1‑401
Legislative intent 6‑1‑402
Definitions 6‑1‑403
Express warranty required - authorized servicers 6‑1‑404
Remedies 6‑1‑405
Remedies for consumers of purchased wheelchairs - conditions 6‑1‑406
Remedies for consumers of leased wheelchairs - conditions 6‑1‑407
Resale of a returned wheelchair - disclosure required 6‑1‑408
Other remedies - waiver of rights void 6‑1‑409
Fraudulent acts 6‑1‑410
Arbitration 6‑1‑411
Defect notification 6‑1‑412
Disclosures 6‑1‑501
Definitions 6‑1‑502
Express warranty required - authorized servicers 6‑1‑503
Remedies 6‑1‑504
Remedies for consumers of purchased facilitative devices - conditions 6‑1‑505
Remedies for consumers of leased facilitative devices - conditions 6‑1‑506
Resale of a returned facilitative device - disclosure required 6‑1‑507
Other remedies - waiver of rights void - limitation of coverage 6‑1‑508
Fraudulent acts 6‑1‑509
Arbitration 6‑1‑510
Defect notification 6‑1‑511
Disclosures 6‑1‑701
Dispensing hearing aids - deceptive trade practices - definitions 6‑1‑702
Unsolicited facsimiles - deceptive trade practice - definitions 6‑1‑702.5
Commercial electronic mail messages - deceptive trade practice - remedies - definitions - short title - legislative declaration 6‑1‑703
Time shares and resale time shares - deceptive trade practices 6‑1‑703.5
Time share resale transfer agreements - deceptive trade practices 6‑1‑704
Health clubs - deceptive trade practices 6‑1‑705
Dance studios - deceptive trade practices 6‑1‑706
Buyers’ clubs - deceptive trade practices 6‑1‑707
Use of title or degree - deceptive trade practice 6‑1‑708
Vehicle sales and leases - deceptive trade practice - definition 6‑1‑709
Sales of manufactured and tiny homes - deceptive trade practices 6‑1‑710
Trafficking of false airbag - deceptive trade practices - criminal liability - definitions 6‑1‑711
Restrictions on credit card receipts - legislative declaration - application - definitions 6‑1‑712
Discount health plan and cards - deceptive trade practices - definitions 6‑1‑713
Disposal of personal identifying information - policy - definitions 6‑1‑713.5
Protection of personal identifying information - definition 6‑1‑714
Unfair drug pricing practice - deceptive trade practice - definitions 6‑1‑715
Confidentiality of social security numbers 6‑1‑716
Notification of security breach 6‑1‑717
Influencing a real estate appraisal - deceptive trade practice 6‑1‑718
Ticket sales and resales - prohibitions - unlawful conditions - definitions 6‑1‑719
Truth in music advertising 6‑1‑720
Online event ticket sales - deceptive trade practice - definitions 6‑1‑721
Like-kind exchanges by exchange facilitators - deceptive trade practice - definitions 6‑1‑722
Gift certificates - validity - exemptions - definitions 6‑1‑723
Cathinone bath salts - deceptive trade practice 6‑1‑724
Unlicensed alternative health-care practitioners - deceptive trade practices - short title - legislative declaration - definitions 6‑1‑725
Synthetic cannabinoids - incense - deceptive trade practice 6‑1‑726
Sale of public services - deceptive trade practice - definition 6‑1‑727
Immigration-related services provided by nonattorneys - deceptive trade practice - definitions 6‑1‑728
Solicitation of fee for a deed or deed of trust - definitions 6‑1‑729
Assisted living residence referral - disclosures - penalty - fine - definitions 6‑1‑730
Price gouging during declared disaster prohibited - deceptive trade practice - legislative declaration - definitions 6‑1‑731
Contracts for dating services and online dating services - right of cancellation - remedy for violations - required notice regarding fraud bans - definitions 6‑1‑732
Automatic renewal contracts - unlawful acts - required disclosures - right to cancel - trial period offers - exemptions - definitions 6‑1‑733
Solicitations to file a secretary of state document or retrieve a copy of a public record for a fee - requirements - definition 6‑1‑734
Access to abortion services and emergency contraception - deceptive trade practice - definitions 6‑1‑801
Legislative finding, declaration, and intent 6‑1‑802
Definitions 6‑1‑803
Prohibited practices and required disclosures 6‑1‑804
Exemptions 6‑1‑901
Short title 6‑1‑902
Legislative declaration 6‑1‑903
Definitions 6‑1‑904
Unlawful to make telephone solicitations to subscribers on the Colorado no-call list - requirements for telephone solicitations generally 6‑1‑905
Establishment and operation of a Colorado no-call list 6‑1‑906
Enforcement - penalties - defenses 6‑1‑907
Acceptance of gifts, grants, and donations 6‑1‑908
Severability 6‑1‑1001
Restrictions on use of loan information for solicitations - definition 6‑1‑1101
Short title 6‑1‑1102
Legislative declaration 6‑1‑1103
Definitions 6‑1‑1104
Foreclosure consulting contract 6‑1‑1105
Right of cancellation 6‑1‑1106
Waiver of rights - void 6‑1‑1107
Prohibited acts 6‑1‑1108
Criminal penalties 6‑1‑1109
Unconscionability 6‑1‑1110
Language 6‑1‑1111
Written contract required 6‑1‑1112
Written contract - contents - notice 6‑1‑1113
Cancellation 6‑1‑1114
Notice of cancellation 6‑1‑1115
Options through reconveyances 6‑1‑1116
Waiver of rights - void 6‑1‑1117
Prohibited conduct 6‑1‑1118
Criminal penalties 6‑1‑1119
Unconscionability 6‑1‑1120
Language 6‑1‑1121
Short sales - subsequent purchaser - definition 6‑1‑1201
Short title 6‑1‑1202
Definitions 6‑1‑1203
Insurance coverage during car sharing period 6‑1‑1204
Notification of implications of lien 6‑1‑1205
Liability - exclusions for personal automobile liability insurance policy - indemnification 6‑1‑1206
Prohibition on exclusion of coverage for car sharing 6‑1‑1207
Record keeping 6‑1‑1208
Federal law - vicarious liability 6‑1‑1209
Insurable interest 6‑1‑1210
Required disclosures and notices 6‑1‑1211
Driver’s license verification and data retention 6‑1‑1212
Shared car equipment 6‑1‑1213
Safety recalls 6‑1‑1214
Enabling operation at airport 6‑1‑1301
Short title 6‑1‑1302
Legislative declaration 6‑1‑1303
Definitions 6‑1‑1304
Applicability of part 6‑1‑1305
Responsibility according to role 6‑1‑1306
Consumer personal data rights - repeal 6‑1‑1307
Processing de-identified data 6‑1‑1308
Duties of controllers 6‑1‑1309
Data protection assessments - attorney general access and evaluation - definition 6‑1‑1310
Liability 6‑1‑1311
Enforcement - penalties - repeal 6‑1‑1312
Preemption - local governments 6‑1‑1313
Rules - opt-out mechanism 6‑1‑1401
Definitions 6‑1‑1402
Disclosure of information by online marketplaces to inform consumers 6‑1‑1403
Enforcement 6‑1‑1404
Preemption 6‑1‑1501
Short title 6‑1‑1502
Definitions 6‑1‑1503
Powered wheelchair manufacturer obligations regarding services - exemptions 6‑1‑1504
Limitations 6‑1‑1505
Federal legislation on right to repair agricultural equipment - repeal - notice to revisor
Green check means up to date. Up to date

Current through Fall 2024

§ 6-1-716’s source at colorado​.gov