Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 30 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws is action for compliance and/or economic damages

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Specific requirements for notification.
  • Breach reporting to the Colorado Attorney General is required when a breach involves 500 or more Colorado residents.
  • Breach reporting to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis is required when a breach involes 1,000 or more Colorado residents.
  • The Attorney General may bring an action in law or equity to address violations, and for other relief that may be appropriate to ensure compiance or to recover direct economic damages, or both.
  • The Attorney General has the authority to prosecute any criminal violations.
  • Colorado’s data disposal law covers paper and electronic documents.
  • Colorado law require entities to develop a written policy for protection of and disposal of document containing personal identifying information.
  • Vendors must be under contract with a data owner, and must implement and maintain appropriate security procedures and practices.
  • Colorado has strict laws protecting student data in the educational system.
  • If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using the state’s rules.
Statutes and Laws
  • C.R.S. § 6-1-713 Disposal of personal identifying information 2004
  • C.R.S. § 6-1-713.5. Protection of personal identifying information 2018
  • C.R.S. § 6-1-716 Notification of security breach 2006
  • C.R.S. § 6-1-711 Restrictions on credit card receipts 2002
  • C.R.S. § 6-1-715 Confidentiality of social security numbers 2006
  • C.R.S. §§ 6-17-101-106 Uniform Records Retention Act 1990
  • C.R.S. §§ 22-16-101 – 22-16-112 Student Data Transparency and Security Act 2016
BAck to map