Colorado has a strong data security bill, but to give more control to consumers, two more data privacy laws have been proposed.
The Colorado Attorney General recently reported that data breaches have impacted 1.6 million residents and nearly 200 organizations since January 2020. This significant risk exposure has caused state legislators to introduce two new consumer data privacy bills in addition to one that is already codified in Colorado statutes.
In 2018, Colorado passed a data security bill requiring organizations to create a policy on how they store and destroy consumer data. It also included notification requirements to be followed after a data breach exposure. After numerous data breaches were reported to the Attorney General’s office, Colorado legislators decided to tighten up the state law by adopting more comprehensive privacy laws to safeguard residents, business and governmental entities.
Some of the reported data breaches in Colorado include:
The City of Lafayette – Paid $45,000 to regain control of its servers after a ransomware attack in July 2020. Phone and email service functions were disabled, as well as online payment and reservations systems and other critical functions of the Boulder County municipality. City officials remained quiet until after the ransom was paid. City Manager Fritz Sprague reported that it would take a week or more to decrypt the city’s data and systems.
GoDaddy – Reported eight Colorado accounts after the web-hosting company previously announced that 28,000 accounts were compromised in October 2019.
Zoetop Business Co. Ltd. – The overseas online retailer operating as Romwe notified more than 110,000 Colorado residents about a security breach in 2020 that may have originated from a 2018 computer hack. Another popular Zoetop online retailer, Shein, experienced a 2018 cyberattack resulting in the data exposure of more than six million customers. Zoetop also filed data breach notices in Texas (636,608 customers), New Hampshire (29,914 customers) and Delaware (24,620 customers).
SCL Health Colorado – In July 2021, SCL notified the U.S. Department of Health and Human Services that 343,493 current and former patients’ personal data may have been exposed. and elsewhere.
Although Colorado’s privacy law was intended to strengthen data security, the state attorney general is responsible for enforcement. Limited staff and budgetary constraints make it difficult for the state’s top legal eagle to enforce the statute. In one reported instance, the Colorado Attorney General’s office settled a ransomware case involving Kozleski CPAs of Woodland Park. The accounting firm agreed to pay a fine of $15,000 to settle the case.
Colorado residents may have better control over their data under the two new pieces of introduced legislation.
House Bill 1111 requires all state government agencies to ask Colorado residents every 90 days to consent to their personal information being stored with the agency and allow people to request disposal of the data. Delays were allowed for law enforcement if disposing of the data impacted a criminal investigation. After a financial impact statement estimated it would cost $2.8 billion to implement the new law, the bill’s author, Rep. Hugh McKean, amended it to create an advisory group to study where state agencies store personal data.
Senate Bill 190 would give residents the right to find out what personal data companies have stored and ask that it be deleted. Critics say this bill leaves enforcement to the Attorney General’s office and prevents consumers from taking their own action with a lawsuit.
Senate Bill 190 passed on a preliminary vote in the Senate on Tuesday. The measure still requires a final vote before moving to the House.
Only California and Virginia have passed comprehensive consumer privacy laws. Oklahoma’s attempt at passing similar legislation failed earlier this year.