Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 30 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- Action for compliance and/or economic damages

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • There are specified requirements for consumer notification.
  • Breach reporting to the Colorado Attorney General is required when a breach involves 500 or more Colorado residents.
  • Breach reporting to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis is required when a breach involves 1,000 or more Colorado residents.
  • A vendor discovering a breach or suspected breach must notify the organization. The organization is responsible for reporting to regulator and consumer notification.
  • If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • The Attorney General may bring an action in law or equity to address violations, and for other relief that may be appropriate to ensure compliance or to recover direct economic damages, or both.
  • Organizations must contract with Vendors to whom the Organization discloses personal information.
  • Vendors under contract with whom an organization shares personal information must implement and maintain appropriate security procedures and practices.
  • Colorado’s data disposal law covers paper and electronic documents.
  • Colorado’s data disposal law requires entities to develop a written policy for protection of and disposal of documents containing personal identifying information.
  • If an Organization contracts with a Vendor for the disposal of documents containing personal information, Vendor will have the responsibility for proper disposal of the documents. If the Organization does not enter into a contract with the Vendor, the Organization will retain the responsibility for proper disposal of the documents.
  • Organizations may be fined or penalized for Vendor violations.
Statutes and Laws
  • C.R.S. § 6-1-711 Restrictions on credit card receipts
  • C.R.S. § 6-1-715 Confidentiality of social security numbers
  • C.R.S. §§ 6-17-101 – 6-17-106 Uniform Records Retention Act
  • C.R.S. §§ 22-16-101 – 22-16-112 Student Data Transparency and Security Act
  • Colo. Rev. Stat. § 6-1-713 Disposal of personal identifying information
  • Colo. Rev. Stat. § 6-1-713.5 Protection of personal identifying information
  • Colo. Rev. Stat. § 6-1-716 Notification of security breach
BAck to map