- The Colorado House Committee on State, Veterans, and Military Affairs unanimously approved an amended data privacy law that would require entities to implement “reasonable security procedures” to protect consumers’ personal information. The Colorado legislature still needs to consider the amended bill.
Protections for Consumer Data Privacy (HB18-1128) was introduced in January 2018, and previously expanded the definition of “personal information,” accounting for medical information, health insurance information, and biometric data. HB18-1128 also updated the data breach notification requirement and the disposal process for electronic and paper documents.
The amended bill added language to address certain concerns that had been raised, including those related to the HIPAA Security Rule and the Gramm-Leach-Bliley Act (GLBA).
Colorado law firm Ballard Spahr LLP was one organization that noted potential privacy and security issues with the legislation.
“This new provision will only create a partial safe harbor for HIPAA/GLBA-regulated entities because the Colorado statute's definition of ‘personal identifying information’ is different than the definitions of ‘electronic protected health information’ and ‘customer information’ under the Security and Safeguards Rules,” explained a Ballard Spahr blog post.
“With respect to HIPAA, the Colorado statute's definition of PII does not include health or medical information but does include other types of information that are beyond HIPAA's coverage, such as passwords and passcodes,” the blog post continued. “The takeaway is that while this new language will help HIPAA/GLBA-regulated entities, they will still need to take measures to ensure compliance with the Colorado statute.”
The amended bill also changes Colorado’s data breach notification requirement. Under the newer legislation, entities that maintain or own computerized data must provide notification “in the most expedient time possible and without unreasonable delay” but not later than 30 days after determining a security incident occurred.
This created an issue because HIPAA regulation gives covered entities and business associates a 60-day notice time frame. When medical information and health insurance identification numbers were added to the definition of personal information, it might not be clear which time frame an organization would need to follow.
“In the case of a conflict between the time period for notice to individuals that is required…and the applicable state or federal law or regulation, the law or regulation with the shortest time frame for notice to the individual controls,” the amended law reads.
The time frame for providing notification to the Colorado Attorney General’s Office is also different in the amended bill.
Entities must notify the Attorney General's office within 30 days after discovery of the breach, compared to the previously proposed seven-day time frame.
“The breach of encrypted or otherwise secured personal information must be disclosed…if the confidential process, encryption key, or other means to decipher the secured information was also acquired or was reasonably believed to have been acquired in the security breach,” the legislation states.
The amended bill also further expands the definition of personal information, and includes student, military, or passport identification numbers.
The House Committee on State, Veterans, and Military Affairs referred the amended bill to the House Appropriations Committee on February 14, 2018.
The data breach notification process has been at the forefront of many lawmakers’ minds recently, especially in the wake of large-scale data breaches such as Equifax.
Florida Senator Bill Nelson introduced legislation in November 2017 that required more prompt data breach notification.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” Nelson explained in a statement. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
Additionally, the bill said organizations subject to the HITECH Act or the HIPAA Security Rule “shall be deemed in compliance with…respect to any data governed” by those requirements. Nelson’s bill also had a 30-day notification time frame for notification.
“Any person who, having knowledge of a breach of security and of the fact that notification of the breach of security is required under the Data Security and Breach Notification Act, intentionally and willfully conceals the fact of the breach of security, shall, in the event that the breach of security results in economic harm to any individual in the amount of $1,000 or more, be fined under this title, imprisoned for not more than 5 years, or both,” the bill said.