Second Regular Session Sixty-ninth General Assembly STATE OF COLORADO INTRODUCED LLS NO. 14-0615.01 Nicole Myers x4326 HOUSE BILL 14-1140 HOUSE SPONSORSHIP Conti, SENATE SPONSORSHIP (None), House Committees Senate Committees State, Veterans, & Military Affairs Appropriations A BILL FOR AN ACT Concerning the requirements of a state entity when the state entity experiences an incident that could compromise the security of sensitive personal information held by the state entity. Bill Summary (Note: This summary applies to this bill as introduced and does not reflect any amendments that may be subsequently adopted. If this bill passes third reading in the house of introduction, a bill summary that applies to the reengrossed version of this bill will be available at http://www.leg.state.co.us/billsummaries.) If a state entity experiences an accidental or deliberate event that results in or constitutes a threat of the unauthorized access, loss, disclosure, modification, disruption, or destruction of personal or financial identifying information (security incident) and determines that the security incident occurred due to an error of the state entity or any employee of the state entity or due to a lack of security protecting the personal or financial identifying information held by the state entity, the state entity must notify any person who may be impacted by the security incident of the following: That a security incident occurred and that the security of the person's personal or financial identifying information held by the state entity may have been compromised; That the person is entitled to have the state entity pay for identity theft protection services on the person's behalf for a limited time after the security incident occurred; and That the person may contact the state entity for further information. The state entity shall include relevant contact information for the state entity in the notification. The bill requires the chief information officer of the office of information technology to promulgate rules necessary for the implementation of these requirements. The rules promulgated by the chief information officer apply to each executive branch department of the state and may be adopted by any state entity that is not an executive branch department. A state entity that is not an executive branch department and that does not adopt the rules of the chief information officer is required to promulgate its own rules or adopt its own policies as necessary for the implementation of these requirements. Be it enacted by the General Assembly of the State of Colorado: SECTION 1. In Colorado Revised Statutes, add article 10.5 to title 24 as follows: ARTICLE 10.5 Compromised Personal or Financial Identifying Information 24-10.5-101. Definitions. As used in this article, unless the context otherwise requires: (1) "Financial identifying information" means any of the following that can be used, alone or in conjunction with any other information, to obtain cash, credit, property, services, or any other thing of value or to make a financial payment: (a) A personal identification number, credit card number, banking card number, checking account number, debit card number, electronic fund transfer card number, guaranteed check card number, or routing number; or (b) A number representing a financial account or a number affecting the financial interest, standing, or obligation of or to the account holder. (2) "Identity theft protection service" means an organization that protects its customers against credit fraud and identity theft, alerts customers when it detects the unauthorized use of personal identifying information or financial identifying information, and helps customers recover from identity theft. (3) "Personal identifying information" means information that may be used, alone or in conjunction with any other information, to identify a specific individual, including but not limited to a name; date of birth; social security number; password; pass code; an official, government-issued driver's license or identification card number; government passport number; biometric data; or employer, student, or military identification number. (4) "Security incident" means an accidental or deliberate event that results in or constitutes a threat of the unauthorized access, loss, disclosure, modification, disruption, or destruction of personal identifying information or financial identifying information. (5) "State entity" means the state of Colorado and any board, commission, department, corporation, instrumentality, or agency thereof. 24-10.5-102. State compromise of personal or financial identifying information. (1) If a state entity experiences a security incident and determines that the security incident occurred due to an error of the state entity or any employee of the state entity or due to a lack of reasonable security protecting the personal identifying information or financial identifying information held by the state entity, the state entity must notify any person who may be impacted by the security incident of the following: (a) That a security incident occurred, the date and nature of the security incident, the nature of the information that was the target of the security incident, and that the security of the person's personal identifying information or financial identifying information held by the state entity may have been compromised; (b) That a person whose personal identifying information or financial identifying information may have been compromised is entitled to have the state entity pay for identity theft protection services on the person's behalf for one year after the security incident occurred pursuant to subsection (2) of this section; and (c) That the person may contact the state entity for further information or if the person has questions. The notification must include the contact information for the state entity, including any special telephone numbers, web sites, or addresses established for people who are inquiring about the security incident. (2) A state entity that determines that a security incident occurred due to an error of the state entity or any employee of the state entity or due to a lack of security protecting personal identifying information or financial identifying information shall contract with an identity theft protection service to provide identity theft protection services to any person whose personal identifying information or financial identifying information may have been compromised due to the security incident. The state entity shall provide the protection for one year after the date of the security incident. 24-10.5-103. Rules. (1) The chief information officer of the office of information technology created pursuant to section 24-37.5-103 shall promulgate rules necessary for the implementation of this article in accordance with article 4 of this title. The rules promulgated by the chief information officer apply to each executive branch department of the state. (2) Any state entity that is not an executive branch department must either promulgate rules or procedures necessary for the implementation of this article or determine, as a matter of policy, to follow the rules promulgated pursuant to subsection (1) of this section. Any state entity that is not an executive branch department and that promulgates rules or procedures pursuant to this subsection (2) must promulgate such rules or procedures in accordance with article 4 of this title. SECTION 2. Act subject to petition - effective date. This act takes effect at 12:01 a.m. on the day following the expiration of the ninety-day period after final adjournment of the general assembly (August 6, 2014, if adjournment sine die is on May 7, 2014); except that, if a referendum petition is filed pursuant to section 1 (3) of article V of the state constitution against this act or an item, section, or part of this act within such period, then the act, item, section, or part will not take effect unless approved by the people at the general election to be held in November 2014 and, in such case, will take effect on the date of the official declaration of the vote thereon by the governor.