Numerous types of organizations that interact with Colorado residents may constitute "covered entities," since "personal information" comprises a broad swath of data — including:

a Colorado resident's first name or first initial and last name in combination with other unencrypted/un-redacted/usable information (e.g., passport, drivers' license, military, student, or other identification numbers);
medication information;
biometric information; or
other information that would permit a third party to access an individual's user account (e.g., username plus security questions or password).

Moreover, the notifications must contain specific information:

The date (or date range) of the breach;
A description of the personal information that was acquired or is believed to have been acquired;
Contact information for an individual's further inquiries;
Contact information for consumer reporting agencies;
Contact information for the FTC; and
A statement that the individual may obtain information about fraud alerts and security freezes from the FTC or credit reporting agencies.

As a result of these rigorous obligations, and the likelihood that events will continue to move quickly after public notice of a cybersecurity incident, entities covered by the Colorado provisions should proactively review existing incident response plans to ensure efficient identification of potential issues, prompt involvement of necessary players (including counsel), and timely notification in compliance with Colorado's (and, of course, other domestic or foreign jurisdictions') notice timeline and content requirements.

Special Reports /

5 takeaways from recent cybersecurity developments by Colorado & the SEC

Related Stories

Recommended For You