Second Regular Session
               Seventieth General Assembly
                    STATE OF COLORADO
                                       CORRECTED INTRODUCED
                                                           
                                                           
 LLS NO. 16-0089.01 Richard Sweetman x4333HOUSE BILL 16-1208
                    HOUSE SPONSORSHIP
 Carver,  Lebsock, Humphrey, Joshi, Roupe, Windholz, Lundeen, Ginal, Klingenschmitt,
 Wist, Brown, Landgraf, Rosenthal, Saine, Singer
 
                   SENATE SPONSORSHIP
 Lundberg and Newell, 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 House Committees
 Senate Committees
 
 
 State, Veterans, & Military Affairs
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                         A BILL FOR AN ACT
       Concerning the creation of a subcommittee to address
            information security, and, in connection therewith,
            charging the subcommittee to consider strategies for
            protecting data and other information resources of
            the state against unauthorized access, disclosure, use,
            modification, or destruction. 
       
       
                           Bill Summary
       
            (Note:  This summary applies to this bill as introduced and does
       not reflect any amendments that may be subsequently adopted. If this bill
       passes third reading in the house of introduction, a bill summary that
       applies to the reengrossed version of this bill will be available at
       http://www.leg.state.co.us/billsummaries.)
       
            The bill creates within the joint technology committee a
       subcommittee on data privacy and cyber-security (subcommittee) to
       consider:
                 Whether state governmental agencies are collecting or
                 retaining data that exceed what is necessary and
                 appropriate for such agencies to perform their functions;
                 Who has access to such data, the extent of such access, and
                 appropriate measures to protect sensitive data; and
                 Measures to protect such data against unauthorized access,
                 disclosure, use, modification, or destruction.
            The subcommittee shall submit its findings to the joint technology
       committee and to the general assembly, by January 1, 2018. The
       subcommittee is repealed, effective July 1, 2018.
       
       
       
       Be it enacted by the General Assembly of the State of Colorado:
            SECTION 1.  In Colorado Revised Statutes, add 2-3-1705.5 as
       follows:
            2-3-1705.5.  Subcommittee on data privacy and cyber-security
       - creation - membership - duties - repeal. (1)  There is created
       within the committee the subcommittee on data privacy and
       cyber-security, referred to within this section as the
       "subcommittee".
            (2)  The subcommittee consists of the following members:
            (a)  One member of the majority party of the house of
       representatives, to be appointed by the speaker of the house of
       representatives;
            (b)  One member of the minority party of the house of
       representatives, to be appointed by the house minority leader;
            (c)  One member of the majority party of the senate, to be
       appointed by the president of the senate;
            (d)  One member of the minority party of the senate, to be
       appointed by the senate minority leader;
            (e)  Four members to be appointed by the governor, as
       follows:
            (I)  One member at an institution of higher education in the
       state with a department or program related to electronic data,
       cyber-security, or privacy;
            (II)  One member who owns or is employed full-time by a
       private company that provides professional services relating to
       cyber-security;
            (III)  One member representing a nonprofit organization
       that is involved with issues related to data privacy; and
            (IV)  One member representing the office of information
       technology created in section 24-37.5-103, C.R.S.; and
            (f)  The chief information security officer appointed
       pursuant to section 24-37.5-403, C.R.S.
            (3) (a)  Each member of the subcommittee may serve
       indefinitely at the pleasure of his or her appointing authority
       and continue serving until a successor is appointed.
            (b)  The members of the subcommittee may select one
       member to serve as chair of the subcommittee and another
       member to serve as vice-chair.
            (4)  The subcommittee shall consider:
            (a)  Whether state governmental agencies are collecting
       or retaining data that exceed what is necessary and appropriate
       for such agencies to perform their functions;
            (b)  Who has access to such data, the extent of such
       access, and appropriate mechanisms to protect sensitive data;
       and
            (c)  Additional measures to protect such data against
       unauthorized access, disclosure, use, modification, or
       destruction.
            (5)  All state and local agencies shall cooperate with the
       subcommittee and provide such data and other information as
       the subcommittee may require in carrying out its duties under
       this section. Any state or local agency or organization that is
       represented on the subcommittee may provide staff assistance
       to the subcommittee, subject to the discretion of the chair. Any
       staff assistance provided to the subcommittee pursuant to this
       subsection (5) is without compensation.
            (6)  The subcommittee shall:
            (a)  Meet at least three times each calendar year, or more
       often as directed by the chair of the subcommittee;
            (b)  Communicate with and obtain input from groups
       throughout the state affected by the issues identified in
       subsection (4) of this section;
            (c)  Submit its findings and recommendations to the
       committee and to the general assembly on or before January 1,
       2018. The findings, at a minimum, must include the following:
            (I)  Whether any additional areas concerning data
       privacy and cyber-security should be reviewed by the
       subcommittee;
            (II)  Whether legislation is necessary to limit the
       collection or access to or protection of data; and
            (III)  Whether the general assembly should extend the
       date upon which the subcommittee is repealed, as described in
       subsection (9) of this section, so as to allow the subcommittee to
       continue its work.
            (7)  In addition to the findings described in paragraph (c)
       of subsection (6) of this section, the subcommittee may submit its
       findings to the committee or to the general assembly on or
       before January 1, 2017, addressing any of the items described in
       said paragraph (c).
            (8)  Nonlegislative members of the subcommittee serve
       without compensation but may receive reimbursement for actual
       travel expenses.
            (9)  This section is repealed, effective July 1, 2018, unless
       extended by the general assembly.
            SECTION 2.  Act subject to petition - effective date. This act
       takes effect at 12:01 a.m. on the day following the expiration of the
       ninety-day period after final adjournment of the general assembly (August
       10, 2016, if adjournment sine die is on May 11, 2016); except that, if a
       referendum petition is filed pursuant to section 1 (3) of article V of the
       state constitution against this act or an item, section, or part of this act
       within such period, then the act, item, section, or part will not take effect
       unless approved by the people at the general election to be held in
       November 2016 and, in such case, will take effect on the date of the
       official declaration of the vote thereon by the governor.