Colorado’s governor recently signed into law an update to the state’s breach notice law.  As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username or email address (in combination with passwords or security questions). The law now calls for companies to conduct investigations when they become aware that a breach may have occurred (rather than when they become aware of a breach). Also modified is the window that companies have to provide notice, joining Florida in requiring notice within 30 days (as compared to the current “without unreasonable delay”).

The law will also join a handful of others (including California, Florida and Illinois) in requiring specific content in notices to impacted individuals. This includes the date or date range of the breach, type of information impacted, and contact information for the company, FTC, and credit reporting agencies. For breaches that impact usernames and passwords, companies will also need to tell people to change their passwords and as appropriate to take other steps to protect their account. Notice to the state Attorney General will be required if more than 500 residents are affected. If more than 1,000 residents are impacted then the company also needs to notify credit reporting agencies.

Putting It Into Practice: Companies updating their nationwide incident response plans should take into account Colorado’s 30 day timing requirement, notice content requirements, and AG notification requirement (if more than 500 residents are impacted).