Colorado Revised Statutes § 6-1-716
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
Yes! §6-1-716(1)(a) reads as follows: "'Breach of the security of the system' means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or commercial entity for the purposes of the individual or commercial entity is not a breach of the security of the system if the personal information is not used for or is not subject to further unauthorized disclosure."
When is notice required?
As soon as an investigation determines that a breach is likely to result in or has already resulted in the misuse of the personal information that was lost the notice requirements are triggered. See §6-1-716(2). The notice should be made within a reasonable time frame to conduct the investigation and restore integrity but also includes the delayed notice exemption if there is a pending law enforcement investigation. See §6-1-716(2)(a). Notice is defined under §6-1-716(1)(c) and includes written, telephonic, and electronic notice as well as substitute notice measures for other circumstances. There is no language that details what information must be included in the notice.
What are the penalties for non-compliance?
Violations are addressed by the Attorney General who may "bring an action...to address violations of this section and for other relief that may be appropriate to ensure compliance with this section or to recover direct economic damages resulting from a violation, or both." See §6-1-716(4).