• Original Reporting
  • On the Ground
  • Sources Cited
Original Reporting This article contains new, firsthand information uncovered by its reporter(s). This includes directly interviewing sources and research / analysis of primary source documents.
On the Ground Indicates that a Newsmaker/Newsmakers was/were physically present to report the article from some/all of the location(s) it concerns.
Sources Cited As a news piece, this article cites verifiable, third-party sources which have all been thoroughly fact-checked and deemed credible by the Newsroom in accordance with the Civil Constitution.
Colorado House Bill 1128 requires companies that store Colorado customers personal data to have a data-privacy protection policy and ability to notify breached customers within 30 days -- one of the fastest notification systems in the world. Many businesses don't seem prepared on day one, Sept. 1, 2018.

When Colorado’s new consumer data-privacy protection law goes in effect Sept. 1, the rules will be among the strictest in the nation. Any company or public agency storing a Coloradan’s personal details will now need a data-protection policy, a swift notification system and the means to destroy the data when it’s no longer needed.

But getting to full compliance may be more difficult than passing legislation, which received unanimous approval in the state legislature earlier this year. Businesses are scrambling to get a written policy and procedures in place. But that’s only if they’re aware of it.

“No small businesses have talked to me about this,” said Chris Chavez, a communications director for the Colorado District Office of the U.S. Small Business Administration. “… I would assume most small business owners do not know about this law.”

House Bill 1128 sped through the legislature and was signed by Gov. John Hickenlooper on May 29. Approval was unanimous, though there were some tweaks — such as adding government agencies — to the original pitch, said state Rep. Cole Wist, who pushed for the law after someone tried to file tax returns about five years ago using his and his wife’s Social Security numbers.

“We’ve had to monitor our credit for several years and to this day, we’ve had to use this special number on our tax returns,” said Wist, a Centennial Republican who is also the assistant House minority leader. “It’s still an ongoing issue for us.”

The fear that sensitive personal details have already been swiped by strangers is real, especially after a data breach at consumer-credit reporting agency Equifax last year exposed personal details of 143 million consumers. Governments from California to Europe have passed laws to protect consumers. While new rules add to the paperwork for businesses, it’s inevitable, Wist said.  

“We’re not trying to set up duplicative requirements or excessive requirements that create burdensome regulations for businesses. Chances are that if they’re in compliance with European or California laws, they’re going to be in compliance here,” Wist said. “What you’ll probably see is Congress coming up with a new standard for the nation. In absence of  Congress acting, we felt it was something we should plant a flag in the ground, which is what we did with this bill.”

The recently passed California Consumer Privacy Act, which goes into effect in 2020, will let state residents find out what personal data has been collected, request it be deleted and opt out of it being sold to someone else.

Colorado’s new law expands on the state’s Consumer Protection Act. It redefines personal data to include a name plus another identifier, such as a health insurance number, biometric data or a security question that unlocks a user’s account. It also sets a deadline of 30 days to notify customers of a breach, one of the shortest in the world.

And the new law impacts all businesses with customers in Colorado — “no exemptions,” said Mitch Tanenbaum, a partner at CyberCecurity, a security consultancy in Littleton that has been hosting educational webinars on the new law.

“One person company — check.  Fortune 500 –check. Home-based business — check.  Healthcare, covered by HIPAA — check. And even local government entities — yup, they are covered, too,” Tanenbaum wrote in an email. “Regarding who is going to be prepared on day one — maybe 10 percent and that is probably generous.”

According to the new law, companies with customers in Colorado must:

  1. Create a security plan explaining how customer data is handled and set a procedure should a breach occur.
  2. Notify affected customers within 30 days. If more than 500 Coloradans are impacted, the business must also notify the state’s attorney general.
  3. Destroy a customer’s personally identifying documents — electronic or paper — when the data is “no longer needed.”

No financial penalty is spelled out, although the attorney general could force a company to provide relief to recover from the economic damage of a breach. Not every business will be in compliance on Sept. 1 and the office would probably seek penalties only after learning of a breach, said Alissa Gardenswartz, the state’s deputy attorney general for consumer protection.

“We’re not going to be knocking on everyone’s door making sure they have a policy in place,” Gardenswartz said. “But we are making sure they have taken every precaution and are doing everything they can to protect the consumer.”

Lawyers from Denver law firm Brownstein Hyatt Farber Schreck met in July to discuss what all this means for clients. The sentiment was that larger businesses were already prepared because they had to meet a May 25 deadline for the European version of consumer data protection, the General Data Protection Regulation, known as GDPR.

“Long term, these requirements are going to be coming to the U.S. and if not, from a public relations perspective, it’s helpful to say, ‘We’re going above and beyond what we have to do to protect your privacy,’” Esteban Morin, a Brownstein associate specializing in privacy and data security, said at the time.

The state doesn’t offer clear guidance about what should be in a data-breach policy. But Tanenbaum points to a year-old regulation from the New York Department of Financial Services as a guideline. Section 500 forces financial services to protect consumer data and spells out what is needed. A few tips:

  • Identify internal and external risks that threaten the security of private personal data stored on company systems.
  • Use software or hardware to monitor systems, detect unauthorized access and respond and recover from malicious attacks.
  • Put someone in charge of the cybersecurity.

The new Colorado law is still seen as one of the toughest in the U.S. And it may become a model for the future, said Paula Miller, a senior vice president at Marsh, a national insurance brokerage with an office in Denver.

“The significance of (Colorado’s law) is it can serve as a template or model for businesses across the country,” Miller said. “If you are a consumer-facing business and do business across multiple states, the easiest way to ensure your practices are compliant is to pick the one state with the most stringent requirements. And now, Colorado is at the top of the list.”

This story first appeared in The Colorado Sun’s newsletter, The Sunriser. You can subscribe here:

Tamara writes about businesses, technology and the local economy for The Colorado Sun. She also writes the "What's Working" column, available as a free newsletter at Contact her at,...