By Deborah Howitt
Director, Lewis Bess Williams & Weese P.C.
Colorado recently passed House Bill 18-1128, which applies to all entities—including nonprofits—that handle applicable information of Colorado residents. Nonprofits potentially maintain applicable personal information relating a variety of individuals including current or former directors, employees, donors, volunteers, or others involved with the organization. The law. sets forth a series of mandatory data security and breach notification requirements, and will become effective September 1, 2018.
The new law imposes data security obligations on entities with the following information relating to Colorado residents, in any paper or electronic documents:
- Social Security number, personal ID number, passport number, or official state or government-issued driver’s license or ID card number;
- Employer, student, or military ID number;
- Password or pass code (for example, as used to register on a website, create a volunteer or donor account, or for employees logging in to the company’s systems);
- Biometric data (for example, fingerprint or facial recognition information); and
- Financial transaction device (a credit/debit card, banking card, EFT card, guaranteed check card or similar card, which may be used by individuals making donations or otherwise).
Entities with the above information must follow specific security measures, including:
- Maintaining a written policy mandating destruction of the above information when “no longer needed” by rendering the information unreadable or indecipherable;
- Implementing reasonable security procedures and practices appropriate for the nature of the information, the business, and its operations; and
- Requiring that third-party service providers implement and maintain security practices appropriate to the nature of the information and reasonably designed to help protect the information from unauthorized access, use, modification, disclosure, or destruction.
Breach Notification Requirements
In the event of a security breach, entities with certain information about Colorado residents may be obligated to notify individuals within 30 days of discovering the breach. These obligations will apply if there is an unauthorized acquisition of any of the following types of information, in unencrypted form, and it is reasonably likely that the information will be misused:
- First name or first initial and last name combined with unencrypted social security number, student or military ID number, passport ID number, driver’s license or ID card number, medical information, health insurance ID number, or biometric data;
- Username or email address combined with a password or security questions and answers; or
- Account number or credit/debit card number combined with any security code, access code, or password required for account access.
Notice should be by mail unless the primary means of communication was electronic. The law includes detailed requirements regarding the content of the notice. In some circumstances, notice must also be sent to the Colorado Attorney General and consumer reporting agencies.
Because of the detailed requirements, and the fact that notice must be sent in 30 days, we strongly recommend that nonprofits develop an Incident Response Plan, including instructions for employees if a data breach is suspected.
For More Information
This post is only a summary of the law, and it does contain other requirements (the complete statute is available here). In addition, nonprofit organizations with donors, volunteers, employees or directors beyond Colorado potentially are subject to the data breach notification and security laws of those other states as well (which in some cases may differ significantly from the Colorado requirements).
Please contact Deborah Howitt at 303-228-2502 or firstname.lastname@example.org with questions, or if you would like assistance with security policies, privacy policies, Incident Response Plans or responding to a data breach.