Colorado passed a bill amending security breach disclosure requirements. Under the bill, covered entities (persons that own, maintain or license personal information) must provide a security breach disclosure to affected Colorado residents no later than 30 days after discovering or receiving notification of a security system breach. The bill also requires covered entities to provide a security breach notification to the Colorado attorney general if a security breach affects 500 or more Colorado residents. In addition, the bill: amended the definition of “personal information” and “security breach”; mandates the information that must included in a security breach disclosure and notification; revised requirements with respect to delivery of a security breach disclosure; and amended notification requirements for third-party service providers (entities that maintain, store, or process personal identifying information on behalf of a covered entity). The bill becomes effective September 1, 2018.
See Colorado General Assembly website for the full text of the Statutes:
http://leg.colorado.gov/sites/default/files/documents/2018A/bills/2018a_1128_signed.pdf
