February 24, 2018
In January, a new data breach notice bill was announced in Colorado that suggested updates to state rules to improve safeguards for inhabitants affected by data breaches. The bill announced a maximum time frame of 45 days for businesses to inform people whose private information was disclosed or stolen as a consequence of a data breach. The meaning of private information was also updated to contain a much wider variety of information including data protected by HIPAA – medical information, health insurance information, and biometric data.
Last week, Colorado’s House Committee on State, Veterans, and Military Affairs collectively passed an updated form of the bill, which has now been delivered to the Board on Appropriations for consideration.
The updated bill includes further new additions to the list of data elements classified as private information – passport numbers, military, and student IDs. There has also been a shortening of the time frame companies have to issue notices. In place of the 45 days suggested in the original bill, the time frame has been reduced to just 30 days after the date of determination that a safety breach has happened.
Usually, when states suggest a law to improve safeguards for state inhabitants whose private information is disclosed, companies in compliance with federal data breach notice rules are supposed to be in compliance with state rules.
Nevertheless, the new bill explains that will not necessarily be the case. Healthcare companies protected by HIPAA rules have up to 60 days to issue notices to breach sufferers. The modified bill states that when national rules need notices to be transmitted, the breached unit will have to comply with the rule with the shortest time frame for issuing notifications.
That means HIPAA protected units who experience a data breach that impacts Colorado inhabitants would have half as long to issue notices.
The original bill required breached units to issue notices to the state attorney general within 7 days of the detection of a breach impacting 500 or more Colorado inhabitants. The modified bill has seen that requirement relaxed to 30 days after the detection of a breach of private information. Further, the state attorney general doesn’t need to be informed of a breach if there has been no abuse of breached data or if data abuse is not likely to happen in the future.
If the new law is approved, Colorado inhabitants will be among the best protected people in the United States. Only Florida has introduced such stringent timescales for sending notices to breach sufferers. Colorado inhabitants would also be much better safeguarded when their data is disclosed by a healthcare company, with the time frame for notice reduced in half.