Representative Bridges and Representative Wist, co-prime bill sponsors, presented House Bill 18-1128. The bill makes changes related to the handling of personally identifying information and required procedures and notifications if this information is breached.
The bill requires each public and private entity in the state that maintains paper or electronic documents that contain personally identifying information to develop a written policy for the disposal of such records. Unless otherwise required by federal law, this policy must require the destruction of these records in a manner that ensures the personally identifying information is unreadable through any means.
A person who maintains, owns, or licenses personally identifying information or uses a third party as a service provider must implement and maintain appropriate security procedures to protect personally identifying information from unauthorized access.
An individual or commercial entity is required to provide notice to the Colorado Attorney General within seven days if unencrypted or encrypted computerized data is breached and the breach is believed to impact 500 or more Colorado residents. The Attorney General is authorized to investigate and prosecute the breach upon receipt of this notice.
Amendments L.003 [Attachment A], a strike-below amendment, and amendments L.005, L.006, and L.008 [Attachments B to D], all of which amended L.003, were distributed to the committee.