MONEY & THE LAW: Colorado law protects consumers hit by data breaches [Gazette, The (CO)]
(Gazette, The (CO) Via Acquire Media NewsEdge) With merchant data breaches becoming a regular occurrence (Target, eBay, P.F. Chang's, etc.), I thought I should tell you what Colorado law says about notification to affected individuals. Forty- seven states have statutes addressing this issue, with Colorado's going back to 2006.
The Colorado statute, a part of the state's Consumer Protection Act, begins with a definition of security system breach. One occurs when there is an "unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information." This definition is narrowed substantially by the definition "personal information," which means a Colorado resident's first name or first initial and last name, in combination with one or more of the following: Social Security number; driver's license or identification card number; or account number (including a credit or debit card number), together with any security code, access code or password required to access the account.
The statute goes on to say that, when a company conducting business in Colorado becomes aware of a security system breach, it must promptly and in good faith conduct an investigation to "determine the likelihood that personal information has been or will be misused." Unless this investigation concludes that misuse has not occurred and is not reasonably likely to occur, the company must give notice of the breach to affected Colorado residents "as soon as possible."
To fuzz things up a bit, the statute further says that "notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system."
The statute says a law enforcement agency can order a delay in giving notice if it concludes notice will impede a criminal investigation.
If notice is required, and more than 1,000 Colorado residents are affected, the statute additionally requires that a notice be given to all nationwide credit reporting agencies. But a company giving this notice need not provide names or other personal information.
If notice to affected Colorado residents must be given, there is considerable flexibility as to how it can be done. It can be by mail, telephone or email and, in some cases, by a posting on the company's website or by notification to statewide media.
Also, if a company is regulated by a state or federal agency that requires it to have procedures in place for handling a data breach, the company can follow those procedures.
There is now considerable debate whether giving notice of a data breach is a good idea or a bad one.
Some argue that giving notice merely serves to make a bad thing worse by inviting further cyberattacks. Others, however, argue that widespread disclosure of data breaches helps to deter further attacks.
In all events, consumers can take comfort from the fact that federal and state laws protect them from unauthorized use of financial accounts as long as they monitor their accounts and promptly report any unauthorized use.
Jim Flynn is a private attorney with Flynn Wright & Fredman LLC in Colorado Springs. Email him at firstname.lastname@example.org.
(c) 2014 ProQuest Information and Learning Company; All Rights Reserved.
[ Back To TMCnet.com's Homepage ]