Under the new Protections for Consumer Data Privacy Act (the “Act”), as of September 2018, most businesses are required to have a written policy regarding the storage or retention of “personal information.” In addition, businesses are required to have a notification plan in place to address a potential data security breach.
Generally, any business that maintains, owns, or licenses personally identifiable information (“PII”) is required to comply with the Act. An exception exists with respect to third-party service providers. PII includes passwords, social security numbers, driver’s license or identification card numbers, pass codes, passport numbers, military, student, or employer identification numbers, and biometric data. To comply with the new law, businesses are required to do the following:
1. Write and implement a policy addressing data retention and destruction of written or electronic documents containing PII and providing for irrevocable destruction of PII when it is “no longer needed”;
2. Ensure that any vendors (third-party service providers), with the same exception described above, who handle PII also have appropriate security procedures in place, including a requirement to notify you in the event of a data breach; and
3. Implement a security breach notification policy with notice provided to individuals no later than 30 days after determination that a breach occurred.
A “security breach” is any unauthorized acquisition of unencrypted, computerized personal information (a different definition than PII). For the breach notification requirement, personal information includes (a) a person’s first name or first initial and last name plus one of the following if not redacted or unencrypted: SSN, ID number, passport ID number; driver’s license or ID number, medical information, health insurance ID number, or biometric data; (b) username or email with password or security question and answer; and (c) account number with credit or debit card number with password. The Act imposes specific notification requirements on businesses in the event a security breach occurs.
You can read the bill in its entirety here:
When developing a records retention/destruction policy, careful consideration should be taken to address the following:
1. Who determines when data is no longer needed.
2. What records are retained electronically versus on paper.
3. Whether there is a litigation hold on certain documents.
4. Whether information is or may be necessary for collection purposes.
5. How will the data be destroyed and when.
6. Who will destroy the data.
The Act is enforced by the Colorado Attorney General; there is no private right of action.
If you have questions about the Act, such as whether your business is covered under this law, or would like assistance in drafting a policy in compliance with the statute, please contact our office to schedule an appointment. 970-241-5500.