Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 30 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- Action for compliance and/or economic damages

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Specific requirements for notification.
  • Breach reporting to the Colorado Attorney General is required when a breach involves 500 or more Colorado residents.
  • Breach reporting to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis is required when a breach involves 1,000 or more Colorado residents.
  • The Attorney General may bring an action in law or equity to address violations, and for other relief that may be appropriate to ensure compliance or to recover direct economic damages, or both.
  • The Attorney General has the authority to prosecute any criminal violations.
  • Colorado’s data disposal law covers paper and electronic documents.
  • Colorado law require entities to develop a written policy for protection of and disposal of documents containing personal identifying information.
  • Vendors must be under contract with a data owner, and must implement and maintain appropriate security procedures and practices.
  • Colorado has strict laws protecting student data in the educational system.
  • If vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using the state’s rules.
Statutes and Laws
  • C.R.S. § 6-1-713 Disposal of personal identifying information
  • C.R.S. § 6-1-713.5. Protection of personal identifying information
  • C.R.S. § 6-1-716 Notification of security breach
  • C.R.S. § 6-1-711 Restrictions on credit card receipts
  • C.R.S. § 6-1-715 Confidentiality of social security numbers
  • C.R.S. §§ 6-17-101 – 6-17-106 Uniform Records Retention Act
  • C.R.S. §§ 22-16-101 – 22-16-112 Student Data Transparency and Security Act
BAck to map