New State Law that Covers Consumer Data Protection.  (HB1128)

This legislative session a new law passed in response to many of the data breach’s we have heard on the news in the past few years.    The business community worked with legislators to make this law reasonable for small and large businesses alike.  This went into effect on September 1 of this year

So this is the deal, if you or your business has any of the following information (PII):   social security numbers; personal identification numbers; passwords; pass codes; official state or government-issued driver’s license or identification card numbers; government passport numbers; biometric data; employer, student, or military identification numbers; and financial transaction devices (credit card or similar electronic fund transfer card), including financial account numbers.

You need to comply with this law.  There two key provisions.  The first, is a written destruction policy and the second is notification of a security breach.      The written destruction policy must detail when and how you destroy this information.  You may keep the information until it is no longer needed.   How long you keep the information depends on what you are using it for.     The second is notification if there is a security breach.  A breach most often would need to include a Colorado Resident’s first name or first initial and last name in combination with the information above.    First investigate the likelihood of it being misused.  If it is likely it could be misused than you must provide notice within 30 days.  

Another good practice.   If your vendors are using this information, be sure they are complying as well.  For more detailed information, I encourage you to check out the Attorney General’s website which has great break down.  To see a copy of the legislation click here.