If your company has customers in Colorado, you may need to revamp your policies for notifying victims of a data breach.

Last week, Colorado Gov. John Hickenlooper signed into law expansive consumer data legislation that mandates all organizations report breaches within 30 days, making it the most stringent in the nation.

The legislation updates the state’s current notification language that states notification must happen without “reasonable delay.”

Coloradocapitolhill2.JPG

There are no exemptions from the notification rule. This will have a unique impact on healthcare organizations required to notify individuals of a HIPAA breach. The state law takes takes precedence over the federal 60-day notification window.

The law additionally requires organizations to maintain a policy for disposing documents with consumer data. It also expands the state’s definition of “personally identifying information” and requires organizations to provide Colorado residents affected by data breaches with the estimated date of the breach and a description of what information was likely accessed.

The new law requires the 30-day notification unless an investigation by the entity that was breached determines that the misuse of information about a resident has not occurred and is not reasonably likely to occur.

The Colorado regulation is set to take effect Sept. 1.

Colorado’s law joins data breach notification laws now in place in all 50 states. Most states require that organizations notify state residents in a reasonable amount of time, but don’t mandate a specific time frame. 

“Of the states that have picked time frames, most have gone with 45 [days],” Ballard Spahr partner David Stauss, who was part of the drafting process for the bill noted. “What Colorado wanted to be was extremely proactive on the time frame notice. They wanted to have a time frame that was reasonable, but was also appropriate to the risks involved.”

He said his firm is telling clients to get procedures to comply in place now. “You can’t spend two weeks trying to figure out how to conduct an investigation. That’s not a prompt investigation,” Stauss noted.

Colorado joins Florida as one of the toughest states for breach notification timelines. Florida also has a 30-day notification law, but there’s a clause that gives organizations an extra 15 days if there’s a “good cause for delay.”

Colorado is just one of many states overhauling data privacy and security laws in the wake of last year’s massive breaches. North Carolina is currently considering what would be the toughest turnaround, which would give just 15 days to report a breach.


If you suspect a data breach has occurred within your organization and need help conducting an investigation, remediating the breach, or knowing how to comply with notification regulations that may apply to you, contact Breadcrumb Cybersecurity. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.