Colorado proposes requiring data breaches to be reported in 30 days

The amended bill that would cut breach reporting time in half for healthcare providers, unanimously passed a State House committee meeting last week.
By Jessica Davis
11:45 AM
Share
colorado breach reporting

The Colorado legislature is considering a bill to drastically improve the state’s privacy and data security law, including giving organizations just 30 days to report a breach.

Introduced in January, the amended bill passed unanimously in the House Committee on State, Veterans and Military Affairs on Feb. 14.

The proposed bill overlaps between HIPAA and state privacy laws, as legislators added medical information and health insurance identification numbers to the types of personal information covered by the bill. This includes the timeframe.

[Also: North Carolina proposes law requiring data breaches to be reported in 15 days]

Current Colorado privacy laws state organizations must report without “reasonable delay,” while HIPAA regulation requires healthcare organizations report breaches within 60 days after a breach is discovered.

The proposed rule creates a 30-day breach notification rule, from the time the organization determines “there is sufficient evidence to conclude that a security breach has taken place."

And “in the case of a conflict between the time period for notice to individuals [under Colorado law or federal regulation or law], the law or regulation with the shortest time frame for notice to the individual controls," according to the amended bill.

[Also: Iowa legislature proposes requiring orgs to report breaches within 45 days]

Also noteworthy, the bill’s language regarding personal information extends further than HIPAA language to include passwords, passcodes and the like, so providers will need to make sure they are compliant with the state’s statute.

The legislation has been referred to the Committee on Appropriations for consideration. If the bill passes, Colorado would join Florida as the toughest states on breach notification timelines.

[Also: Proposed Senate bill would fine, jail execs who conceal data breaches]

Florida also has a 30-day notification rule, but allows an additional 15 days if there’s a “good cause for the delay.”

States have been steadily proposing modifications to privacy laws, given the increase in cyberattacks. For example, North Carolina is currently considering legislation to give organizations just 15 days from time of discovery to report a breach.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com