13 Jul Colorado Legislative Update
The Colorado legislature recently amended its laws related to protections for consumer data privacy, effective September 1, 2018. The legislature also amended its laws related to the foreclosure process on property that is encumbered by a deed of trust, effective August 8, 2018.
Colorado House Bill 18-1128
“Biometric data” means unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account.
“Covered entity” means a person (defined as an individual, corporation, business trust, estate, trust, partnership, unincorporated association, or two or more thereof having a joint or common interest, or any other legal or commercial entity) that maintains, owns, or licenses personal identifying information in the course of the person’s business vocation, or occupation. “Covered entity” does not include a person acting as a third-party service provider.
“Determination that a security breach occurred” means the point in time at which there is sufficient evidence to conclude that a security breach has taken place.
“Encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.
- Written notice to the postal address listed in the records of the covered entity;
- Telephonic notice;
- Electronic notice, if a primary means of communication by the covered entity with a Colorado resident is by electronic means or the notice provided is consistent with the provisions regarding electronic records and signatures set forth in the federal ESIGN Act.
- Substitute notice, if the covered entity required to provide notice demonstrates that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 250,000 Colorado residents, or the covered entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:
- E-mail notice if the covered entity has e-mail addresses for the members of the affected class of Colorado residents;
- Conspicuous posting of the notice on the website page of the covered entity if the covered entity maintains one; and
- Notification to major statewide media.
“Personal information” means:
- A Colorado resident’s first name or last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military, or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.
- A Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; or
- A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
“Security breach” means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity. Good faith acquisition of personal information by an employee or agent of a covered entity for the covered entity’s business purposes is not a security breach if the personal information is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.
“Third-party service provider” means an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity.
Each covered entity in Colorado that maintains paper or electronic documents during the course of business that contain personal identifying information must develop a written policy for the destruction or proper disposal of those paper and electronic documents containing personal identifying information. Unless otherwise required by state or federal law or regulation, the written policy must require that, when such paper or electronic documents are no longer needed, the covered entity must destroy or arrange for the destruction of such paper and electronic documents within its custody or control that contain personal identifying information by shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.
To protect personal identifying information from unauthorized access, use, modification, disclosure, or destruction, a covered entity that maintains, owns, or licenses personal identifying information of an individual residing in Colorado must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.
Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party servicer provider, the covered entity must require that the third-party service provider implement and maintain reasonable security procedures and practices that are:
- Appropriate to the nature of the personal identifying information disclosed to the third-party service provider; and
- Reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.
A disclosure of personal identifying information does not include disclosure of information to a third party under circumstances where the covered entity retains primary responsibility for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal identifying information and the covered entity implements and maintains technical controls that are reasonably designed to:
- Help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction; or
- Effectively eliminate the third party’s ability to access the personal identifying information, notwithstanding the third party’s physical possession of the personal identifying information.
A covered entity that is regulated by state or federal law and that maintains procedures for protection and disposal of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with these provisions.
A covered entity that maintains, owns, or licenses computerized data that includes personal information about a resident of Colorado must, when it becomes aware that a security breach may have occurred, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The covered entity must give notice to the affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. Notice must be made in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination (previously as soon as practical) that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.
In the case of a breach of personal information, notice to affected Colorado residents must include, but need not be limited to, the following information:
- The date, estimated date, or estimated date range of the security breach;
- A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach;
- Information that the resident can use to contact the covered entity to inquire about the security breach;
- The toll-free numbers, addresses, and websites for consumer reporting agencies;
- The toll-free number, address and website for the Federal Trade Commission; and
- A statement that the resident can obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes.
Covered entities who have experienced a breach of personal information that is likely to be misused must also direct the person whose personal information was breached to change his or her password and security question or answer or take other appropriate steps.
The breach of encrypted or otherwise secured personal information must be disclosed if the confidential process, encryption key, or other means to decipher the secured information was also acquired in the security breach or was reasonably believed to have been acquired.
A covered entity that is required to provide notice to affected Colorado residents is prohibited from charging the cost of providing the notice to the affected residents.
The covered entity is not precluded from including any additional information in the notice, including any information that may be required by state or federal law.
Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and the law enforcement agency has notified the covered entity that conducts business in Colorado not to send notice. The notice must be made in good faith, in the most expedient time possible and without unreasonable delay but not later than 30 days (previously as soon as possible) after the law enforcement agency determines that notification will no longer impede the investigation and has notified the covered entity that conducts business in Colorado that it is appropriate to send the notice.
The amendments also include provisions related to the following:
- Notice requirements for third-party providers maintaining computerized data that includes personal information; and
- Requirement to notify the Colorado Attorney General of a data breach.
Colorado House Bill 18-1254
At any time after the recording of the notice of election and demand but prior to the sale, a portion of the property may be released from the deed of trust being foreclosed pursuant to state law or as otherwise provided by order of a court of competent jurisdiction recorded in the county where the property being released is located. Upon recording of the release or court order, the holder of the evidence of debt or the attorney for the holder must pay the required fee, amend the combined notice, and, in the case of a public trustee foreclosure, amend the notice of election and demand to describe the property that continues to be secured by the deed of trust or other lien being foreclosed as of the effective date of the release or court order; except that the amended combined notice may be omitted with the prior approval of the public trustee. The public trustee must record the amended notice of election and demand upon receipt. Upon receipt of the amended combined notice, if provided by the holder or the attorney for the holder, the public trustee must republish and mail the amended combined notice as required. If the amended combined notice was omitted, upon recordation of the amended notice of election and demand, the public trustee must supply an amended combined notice and must then republish and mail the amended combined notice as required.
The public trustee may require the holder or servicer to make a deposit of up to $500 (previously $650) plus the amount of the fee permitted, at the time the notice of election and demand is filed, to be applied against the fees and costs of the public trustee.
If the holder of the evidence of debt is the highest bidder with a bid that exceeds the total amount due shown on the bid, the holder of the evidence of debt is only required to pay the excess of the amount bid over the amount due the holder of the evidence of debt, as shown on the bid submitted.
The amendments also include revisions related to:
- Procedures upon the termination of any injunction or upon the entry of a bankruptcy court order dismissing the bankruptcy case, abandoning the property being foreclosed, closing the bankruptcy case, or granting relief from the automatic stay provisions of the federal bankruptcy code;
- Procedures when a foreclosure is set aside by court order;
- Public trustee’s duties regarding an overbid;
- Rescission of a public trustee sale; and
- Redemption by the holder of a certificate of purchase issued upon the foreclosure of a deed of trust.