State Mandated Policy for Storing Personal Identifying Information

Effective September 1, 2018, Colorado Revised Statute § 6-1-713 requires “covered entities” to comply with new rules regarding the security and disposal of Personal Identifying Information, e.g., social security numbers, tax identification number, passwords, passcodes, driver’s licenses and numbers, etc.

Note: Management Companies and Homeowners Associations that handle Personal Identifying Information should adopt a policy with the following provisions:

I. A provision for the protection of Personal Identifying Information:

• Must require third party (for example, an Information Technology company that handles your data/computers) to provide its own security measures for protecting Personal Identifying Information.

• Must effectively eliminate third party’s ability to access Personal Identifying Information without authorization.

II. A provision for the procedure for destroying and deleting both physical and electronic copies of personal Identifying Information:

• The Personal Identifying Information must at least be shredded, erased, or otherwise modified to make the information completely unreadable and indecipherable.

III. Companies must have a procedure for when security breach(s) occur.

• The procedure most contain provisions on how to disclose the breach to parties with exposed Personal Identifying Information.

• The breached entity must have a policy in place to conduct a thorough investigation of the breach.

• This procedure must contain provisions on how to contact and notify the Office of the Attorney General.

• The breached entity must email or otherwise reasonably notify the people whose Personal Identifying Information was breached.

• The breached entity must a post conspicuous notification on its website that a breached has occurred and must also provide notification to a major, statewide media.

Note: This is not an exhaustive list. Please contact WesternLaw Group to learn more.