Governmental entity - protection of personal identifying information definition.

  1. Law
  2. Colorado Revised Statutes
  3. Government - State
  4. Security Breaches and Personal Information
  5. Governmental entity - protection of personal identifying information definition.

Checkout our iOS App for a better way to browser and research.

(1) To protect personal identifying information, as defined in section 24-73-101 (4)(b), from unauthorized access, use, modification, disclosure, or destruction, a governmental entity that maintains, owns, or licenses personal identifying information shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the governmental entity.

(2) Unless a governmental entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the governmental entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices that are:

  1. Appropriate to the nature of the personal identifying information disclosed to thethird-party service provider; and

  2. Reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.

(3) For the purposes of subsection (2) of this section, a disclosure of personal identifying information does not include disclosure of information to a third party under circumstances where the governmental entity retains primary responsibility for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal identifying information and the governmental entity implements and maintains technical controls reasonably designed to:

  1. Help protect the personal identifying information from unauthorized access, modification, disclosure, or destruction; or

  2. Effectively eliminate the third party's ability to access the personal identifying information, notwithstanding the third party's physical possession of the personal identifying information.

  1. A governmental entity that is regulated by state or federal law and that maintainsprocedures for storage of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section.

  2. For the purposes of this section, "third-party service provider" means an entity thathas been contracted to maintain, store, or process personal identifying information on behalf of a governmental entity.

Source: L. 2018: Entire article added, (HB 18-1128), ch. 266, p. 1640, § 4, effective September 1.


Download our app to see the most-to-date content.