Recently, a new bill was signed by Colorado Governor John Hickenlooper, creating far reaching new requirements for entities that collect or maintain personal identifying information of Colorado residents. These requirements, which will create one of the strictest state based privacy and data breach laws in the country, will go into effect September 1, 2018. The Colorado Attorney General’s office led part of the effort to pass the new law, making enforcement a likely priority.
The new law requires organizations to maintain a policy for disposing documents with consumer data and notify Colorado residents of any potential personal information exposure no later than 30 days after discovering a data breach. The 30-day notification window does not provide for any specific exemptions (such as HIPAA) and is the shortest of any U.S. state.