Democratic Colorado Gov. John Hickenlooper has signed a bill into law that would require that residents be notified by a company or other organization of a data breach within 30 days after it has been discovered.
A data breach is an incident in which sensitive, protected or confidential information is stolen or taken from a computer system by an unauthorized individual.
The new law, which applies to organizations that do business with Colorado residents, also mandates that consumers be given the date of the breach and a description of what was accessed.
While every state now has a data breach notification law, many use vague language defining how quickly consumers must be informed once a data breach is discovered. Statutes often include the phrase “without unreasonable delay” or “in the most expedient time possible.”
One of the Colorado measure’s co-sponsors, Republican state Rep. Cole Wist, said the term “reasonable” is too loose and subjective and can delay consumers from acting quickly to try to prevent themselves from becoming victims of identity theft, as he has been.
The new law, which takes effect Sept. 1, requires the 30-day notification unless an investigation by the entity that was breached determines that the misuse of information about a resident has not occurred and is not reasonably likely to occur.
Legislators in a number of states have been trying to toughen consumer protections in the wake of law year’s massive Equifax breach that exposed the personal data of nearly 148 million Americans.
Last year, there were a record 1,579 data breaches in the United States, a nearly 45 percent hike over the previous year, according to the Identity Theft Resource Center, a nonprofit that helps victims of identity theft and promotes public awareness.