Data Security Breach Notice
A data security breach occurs when there is unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality or integrity of personal information, maintained by an individual or a commercial entity, including a not-for-profit entity.
Data Security Breach Notification Methods
Notification of a data security breach can be made by:
1. written notice to the postal address on record
2. telephone notice
3. electronic notice, or
4. substitute notice, if the cost of providing the notice will exceed $250,000.
Substitute notice consists of all of the following:
1. E-mail notice, if the e-mail address is known
2. Conspicuous posting of the notice on a website of the recordkeeper, if one exists
3. Notification to major statewide media
Personal information means a Colorado resident’s first name or first initial and last name, in combination with one or more of the following data elements, when the data elements are not encrypted, redacted or secured by any other method to make the data element unreadable or unusable.
1. Social security number
2. Driver’s license number or identification card number
3. Account number, credit card number or debit card number, in combination with any security code, access code or password that would permit access to a resident’s financial account
Personal information does not include publicly available information that is lawfully made available from government records or widely distributed media.
When the recordkeeper becomes aware of a data security breach, the recordkeeper shall conduct a prompt investigation to determine the likelihood that personal information has been or will be misused. Notice must be given to a Colorado resident as soon as possible, consistent with legitimate needs of law enforcement, and time needed to determine the scope of the data breach and to restore reasonable integrity of the data system.
Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and has notified the recordkeeper not to send the notice until a later date.
A Written Information Security Policy (WISP) including its own notification procedures regarding a data security breach, shall be deemed to be in compliance with this section, if the procedures are otherwise consistent with the timing requirements of this section.
The Colorado Attorney General may initiate legal action to address violations of this section, including recovery of direct economic damages resulting from a violation.
Use Encryption not Plain Text Data
Tip: Note that if data is kept in encrypted form, if there is a data breach, notification is not required by law. Storing data in plain text format is not recommended due to increased risk of data theft in a data security breach. The encryption key should be stored in a secure location. If personal information is not needed, do not collect it or store it. Or, collect only the last 4 digits of an ID or account number, rather than the full number.
[See Colorado law CRS 6-1-716 for more detailed information.]