First Regular Session Sixty-eighth General Assembly STATE OF COLORADO INTRODUCED LLS NO. 11-0510.01 Julie Pelegrin HOUSE BILL 11-1225 HOUSE SPONSORSHIP Pabon, Court, Duran, Hullinghorst, McCann, Miklosi SENATE SPONSORSHIP (None), House Committees Senate Committees Judiciary A BILL FOR AN ACT Concerning legal actions addressing breaches of data security that involve personal information. Bill Summary (Note: This summary applies to this bill as introduced and does not reflect any amendments that may be subsequently adopted. If this bill passes third reading in the house of introduction, a bill summary that applies to the reengrossed version of this bill will be available at http://www.leg.state.co.us/billsummaries.) Under the bill, an individual or commercial entity is not liable for civil damages resulting from a breach of data security made possible by acts or omissions made in good faith, so long as the acts or omissions were not grossly negligent or willful and wanton, if: The breach of data security is committed by a third party without authorized access or by an employee or agent operating outside the scope of employment; and The individual or commercial entity that holds the personal information has been audited by a qualified information technology auditor and found to be implementing best practices and meeting information technology security standards. If the individual or commercial entity has not been audited, the individual or commercial entity may raise a rebuttable presumption at trial that it was not negligent in making possible the breach of data security if the individual or commercial entity demonstrates that it was operating in accordance with the best practices and standards. The state's chief information officer will identify an entity that will identify national organizations that certify persons with the expertise to act as data security auditors, and the entity will identify the best practices and data security standards that an individual or commercial entity should follow. A person who is the victim of a computer crime or breach of data security may petition the court for a subpoena to require the individual or commercial entity whose data system was breached to provide any information it may have concerning the perpetrators of the crime or breach. If the individual or commercial entity provides the information, it will be immune for the direct use of the information against the individual or commercial entity in a civil suit brought by a person other than the victim, so long as the individual or commercial entity or its employees or agents were not grossly negligent and did not act willfully or wantonly. The bill creates a new class 1 misdemeanor computer crime if a person receives stolen computer-related property, including data, and intends to use it in a way that deprives the lawful owner of its use, to commit another crime with it, or to use it to damage the lawful owner's reputation. The bill makes conforming amendments. Be it enacted by the General Assembly of the State of Colorado: SECTION 1. Article 21 of title 13, Colorado Revised Statutes, is amended BY THE ADDITION OF A NEW PART to read: PART 12 LIABILITY FOR DATA SECURITY BREACHES INVOLVING PERSONAL INFORMATION 13-21-1201. Definitions. As used in this part 12, unless the context otherwise requires: (1) "Authorization" shall have the same meaning as provided in section 18-5.5-101 (1), C.R.S. (2) "Breach of data security" shall have the same meaning as the phrase "breach of the security of a system" as provided in section 6-1-716 (1) (a), C.R.S. (3) "Computer" shall have the same meaning as provided in section 18-5.5-101 (2), C.R.S. (4) "Computer crime" means identity theft as described in section 18-5-902, C.R.S., committed wholly or in part by using a computer, computer network, or computer system, or computer crime as described in section 18-5.5-102, C.R.S. (5) "Computer network" shall have the same meaning as provided in section 18-5.5-101 (3), C.R.S. (6) "Computer system" shall have the same meaning as provided in section 18-5.5-101 (6), C.R.S. (7) "Exceed authorized access" shall have the same meaning as provided in section 18-5.5-101 (6.7), C.R.S. (8) (a) "Personal information" means: (I) Any of the following that can be used, alone or in conjunction with any other information, to obtain cash, credit, property, services, or any other thing of value or to make a financial payment: (A) A personal identification number, credit card number, banking card number, checking account number, debit card number, electronic fund transfer card number, guaranteed check card number, or routing number; or (B) A number representing a financial account or a number affecting the financial interest, standing, or obligation of or to the account holder; or (II) Information that may be used, alone or in conjunction with any other information, to identify a specific individual, including but not limited to a name; a date of birth; a social security number; a password; a pass code; an official, government-issued driver's license or identification card number; a government passport number; biometric data; or an employer, student, or military identification number. (b) "Personal information" does not include publicly available information that is lawfully made available to the general public by the person to whom the information pertains or whose financial accounts it concerns or from federal, state, or local government records or widely distributed media. (9) "Qualified information technology security auditor or assessor" means a person who: (a) Is certified by one or more nationally recognized organizations or associations in the information technology industry as having expertise in data security; and (b) Has not been convicted of or pled guilty or nolo contendere to a felony or misdemeanor offense involving moral turpitude, including but not limited to offenses involving fraud as described in article 5 of title 18, C.R.S., computer crimes as described in article 5.5 of title 18, C.R.S., failure to pay child support, or any comparable offense under the laws of any other state, the United States, or a foreign country. 13-21-1202. Immunity from liability for breach of data security - audit. (1) An individual or commercial entity that operates in Colorado and that owns, licenses, or maintains computerized data that includes personal information shall not be liable for civil damages resulting from a breach of data security made possible by acts or omissions made in good faith by the individual or commercial entity or its agents or employees, so long as the acts or omissions were not grossly negligent or willful and wanton, if: (a) The breach of data security is committed by a third party without authorization or whose actions exceed authorized access to the individual's or commercial entity's computer, computer network, or computer system, or by an employee or agent of the individual or commercial entity acting outside the scope of his or her employment in causing the breach; and (b) Prior to the breach of data security, the individual or commercial entity is certified by a qualified information technology security auditor or assessor as implementing best practices in the area of data security and meeting information technology security standards, as identified by the entity identified pursuant to section 13-21-1204. (2) An individual or a commercial entity that claims immunity pursuant to this section is responsible for verifying that the person who audits or assesses the individual's or commercial entity's implementation of best practices and compliance with technology security standards is a qualified information technology security auditor or assessor. 13-21-1203. Breach of data security - rebuttable presumption. An individual or a commercial entity that is not immune from civil liability pursuant to section 13-21-1202 for a breach of data security may establish a rebuttable presumption that the individual or commercial entity, and the employees or agents of the individual or commercial entity, were not negligent in making possible the breach of data security by introducing evidence that the individual or commercial entity implemented the best practices and was in compliance with the technology security standards identified by the entity identified pursuant to section 13-21-1204. 13-21-1204. Office of information technology - selection of entity - certifications - best practices and standards. (1) The chief information officer appointed pursuant to section 24-37.5-103, C.R.S., shall identify an entity in this state, referred to in this section as the "entity", to carry out the duties specified in this section. The entity identified by the chief information officer shall have expertise in the laws and practices surrounding data security and privacy. The chief information officer shall publicize the name and internet address of the entity on the statewide internet portal established pursuant to article 37.7 of this title. (2) The entity shall provide on its web site for public access a list of the nationally recognized organizations or associations in the information technology industry that certify a person's qualifications in data security systems. The entity shall review and update the list at least annually. (3) The entity shall identify the best practices that an individual or a commercial entity may implement and information technology security standards with which an individual or a commercial entity may comply if the individual or commercial entity owns, licenses, or maintains computerized data that includes personal information. The entity shall post the list of best practices and information technology security standards on its web site for public access and shall review and update the best practices and standards at least annually. 13-21-1205. Consumers - investigation of breach of data security - authority to issue subpoenas. (1) A person who is the victim of a computer crime or whose personal information is lost, stolen, or compromised as a result of a breach of data security may petition the court for the issuance of a subpoena commanding an individual or commercial entity that was the subject of a data security breach or any third party to produce any information in its possession, custody, or control regarding the computer crime or the unauthorized access to the petitioner's personal information to facilitate the detection, apprehension, and prosecution of any perpetrator of the computer crime or breach of data security. (2) A person who seeks a subpoena pursuant to this section shall file with a court of competent jurisdiction in the judicial district in which the individual or commercial entity is located or doing business, a verified petition ex parte alleging under oath the occurrence of the computer crime or breach of data security and the loss of personal information. The court shall issue the subpoena upon a finding that the petition sets forth a showing of probable cause to believe that the petitioner has been the victim of a computer crime or breach of data security and that the individual or commercial entity for whom the subpoena is sought is in possession, custody, or control of evidence likely to facilitate the detection, apprehension, and prosecution of any perpetrator. (3) A petition filed pursuant to this section may be filed under seal if a public filing would subject the petitioner or any innocent third party to further risk of harm or would risk hindering the detection, apprehension, or prosecution of any perpetrator. (4) The court may consider a motion to quash a subpoena issued pursuant to this section, to limit production sought by the subpoena, or to issue protective orders to protect the rights of third parties, other than a perpetrator. (5) An individual or commercial entity, other than a perpetrator, that produces information in response to a subpoena authorized and issued pursuant to this section shall be immune from the direct use of said information in any civil action brought by a party other than the victim of the computer crime or breach of data security against the individual or commercial entity for acts or omissions made in good faith by the individual or commercial entity or its agents or employees, so long as the acts or omissions were not grossly negligent or willful and wanton. SECTION 2. 18-5.5-102 (1) (g), Colorado Revised Statutes, is amended, and the said 18-5.5-102 (1) is further amended BY THE ADDITION OF A NEW PARAGRAPH, to read: 18-5.5-102. Computer crime. (1) A person commits computer crime if the person knowingly: (g) Uses or causes to be used a software application that runs automated tasks over the internet to access a computer, computer network, or computer system, or any part thereof, that circumvents or disables any electronic queues, waiting periods, or other technological measure intended by the seller to limit the number of event tickets that may be purchased by any single person in an on-line event ticket sale as defined in section 6-1-720, C.R.S.; or (h) Receives, retains, possesses, or disposes of property knowing or believing that the property has been stolen or obtained, by means of access that is not authorized or that exceeds authorized access, from a computer, computer network, or computer system, and the person intends to: (I) Use or dispose of the property in a way that deprives the lawful owner or any lawful licensee of the property of its use or benefit; (II) Use or dispose of the property in order to commit, attempt, or solicit the commission of any other offense in violation of this title or the laws of any other state or of the United States; or (III) Damage the reputation of the lawful owner or any lawful licensee of the property. SECTION 3. 18-5.5-102 (3) (a), Colorado Revised Statutes, is amended, and the said 18-5.5-102 (3) is further amended BY THE ADDITION OF A NEW PARAGRAPH, to read: 18-5.5-102. Computer crime. (3) (a) Except as provided in paragraphs (b) and (c) (b), (c), and (e) of this subsection (3), if the loss, damage, value of services, or thing of value taken, or cost of restoration or repair caused by a violation of this section is less than five hundred dollars, computer crime is a class 2 misdemeanor; if five hundred dollars or more but less than one thousand dollars, computer crime is a class 1 misdemeanor; if one thousand dollars or more but less than twenty thousand dollars, computer crime is a class 4 felony; if twenty thousand dollars or more, computer crime is a class 3 felony. (e) Computer crime committed in violation of paragraph (h) of subsection (1) of this section is a class 1 misdemeanor. SECTION 4. 24-37.5-106 (1) (r) and (1) (s), Colorado Revised Statutes, are amended, and the said 24-37.5-106 (1) is further amended BY THE ADDITION OF A NEW PARAGRAPH, to read: 24-37.5-106. Chief information officer - duties and responsibilities - broadband inventory fund created. (1) The chief information officer shall: (r) In consultation with the government data advisory board created in section 24-37.5-703, adopt rules and procedures for responding to data requests submitted by an entity outside of state government; and (s) In consultation with the government data advisory board created in section 24-37.5-703, adopt a schedule of fees that the office may charge to state agencies to supervise and administer interdepartmental and external data requests, that a state agency may charge another state agency in responding to an interdepartmental data request, and that a state agency may charge to respond to a data request submitted by an entity outside of state government. The chief information officer shall ensure that the amount of the fees does not exceed the direct and indirect costs incurred by the office or by the state agency that is responding to a data request; and (t) Identify an entity as described in section 13-21-1204, C.R.S., to perform the duties related to data security specified in said section and to post the name and internet address of the entity on the statewide data portal. SECTION 5. Effective date - applicability. This act shall take effect July 1, 2011, and sections 2 and 3 of this act shall apply to offenses committed on or after said date. SECTION 6. Safety clause. The general assembly hereby finds, determines, and declares that this act is necessary for the immediate preservation of the public peace, health, and safety.