Data Privacy Requirements for Employers

On May 29, 2018, Gov. Hickenlooper signed HB 18-1128 into law. This law generally requires all covered entities that maintain documents with personal identifying information of CO residents to develop and maintain written policies for the protection, destruction and proper disposal of those documents. These requirements are effective Sept. 1, 2018.

A "covered entity" under this new law is defined as any person or entity "that maintains, owns, or licenses personal identifying information." "Personal identifying information" is defined as a Social Security number, PIN, password, passcode, government-issued driver's license or ID card number, passport number, biometric data, an employer/student/military identification number, or a financial transaction device. Therefore, since virtually all employers maintain information on their employees that meet the definition of personal identifying information, employers with CO employees will be subject to the requirements of the new law.

Specifically, the provisions under the new law require that covered entities (1) implement reasonable security procedures and practices, (2) establish and follow a written policy for the destruction and proper disposal of personal information, (3) ensure third-party service providers that handle personal information follow reasonable security procedures and practices and (4) follow notification procedures in the event of a security breach.

Employers who maintain personal identifying information on CO residents must comply by Sept. 1, 2018. Thus, covered entities should take immediate steps to ensure they are complying with the law’s requirements with the help of outside counsel. Failure to adhere to these requirements could result in civil penalties of up to $2,000 per affected person, up to a maximum of $500,000 per incident, or the employer can be held directly liable to affected individuals harmed by the violation.

HB 18-1128 »