Earlier this year, the Colorado General Assembly enacted one of the most stringent data protection laws in the country. This law applies to Colorado businesses and governmental entities as well as third-party vendors who collect and maintain personal identifying information (“PII”). C.R.S. 6-1-713 defines PII as “a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data, as defined in section 6-1-716 (1)(a); an employer, student, or military identification number; or a financial transaction device, as defined in section 18-5-701 (3).” This definition includes bank account and debit/credit card information.

Effective September 1, 2018, associations, management companies, and their vendors that collect and maintain PII must adopt policies concerning the protection of that information and procedures for handling breaches and destruction of documents containing PII.

Our attorneys can assist with the preparation of a policy for your association. Please contact us to discuss your association’s needs related to this new data breach law. We look forward to helping you with this compliance issue before a breach occurs.