Organizations must contract with Vendors to whom the Organization discloses personal information. Colorado’s data disposal law covers paper and electronic documents. Colorado’s data disposal law requires entities to develop a written policy for the protection of and disposal of documents containing personal identifying information. If an organization contracts with a Vendor for the disposal of documents containing personal information, the Vendor will have the responsibility for proper disposal of the documents. If the Organization does not enter into a contract with the Vendor, the Organization will retain the responsibility for proper disposal of the documents.

Breach reporting to the Colorado Attorney General is required when a breach involves 500 or more Colorado residents. Breach reporting to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis is required when a breach involved 1,000 or more Colorado residents.

There are specified requirements for consumer notification. If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.

A vendor discovering a breach or suspected breach must notify the organization. The organization is responsible for reporting to the regulator and consumer notification. Vendors under contract with whom an organization shares personal information must implement and maintain appropriate security procedures and practices.

The Attorney General may bring an action in law or equity to address violations, and for other relief that is appropriate to ensure compliance or to recover direct economic damages, or both. Organizations may be fined or penalized for Vendor violations.