By Sam Light, General Counsel

• Your utility billing department electronically collects a resident’s credit card number, expiration date, and security code to set up a utility account.
• Your finance department accepts an online use tax filing with a resident’s name and social security number.
• Your human resources staff scans an employment eligibility form, together with copies of the passport and student ID the employee submitted on the first day of work.
• Your clerk’s office collects a business owner’s name and driver’s license number to run a background check for a liquor license.

As these examples illustrate, municipalities collect, store and use all sorts of personal information to serve their citizens and conduct operations. The loss, breach or misuse of this information can result in significant expense and the potential for cyber liability claims. While there are several federal and state data privacy laws already on the books, those laws often focus on limited types of informationⁱ or operations,ⁱⁱ or do not broadly address a municipality’s duties in the event of a data breach.

That has changed with adoption of Colorado House Bill 18-1128 (“HB 1128” or “Privacy Law”), which took effect September 1, 2018 and places new data privacy requirements on home rule and statutory cities and towns. The Privacy Law,ⁱⁱⁱ requires governmental entities that maintain paper or electronic documents containing “personal identifying information” (PII) to: adopt a written policy for the destruction of PII; implement and maintain reasonable security procedures for protection of PII; and disclose and provide notice of data breaches. This article summarizes the main requirements of HB 1128. It also provides an overview of CIRSA’s cyber coverage, which provides certain protections for claims and expenses arising from privacy breaches, and provides links to additional member resources for managing cyber risks.

Protection and Disposal of PII
The Privacy Law includes new obligations for municipalities for protection and disposal of “personal identifying information (PII).” PII is defined to include: a social security number; a personal identification number; a password; a pass code; a state or government-issued driver’s license or identification card number; a passport number; biometric data; an employer, state or military identification number; or a “financial transaction device,” which includes most any type of credit or bank card or financial account number. Governments routinely collect these bits of information for any number of functions, from utility accounts to employment verification.

Regarding disposal, HB 1128 requires governmental entities that maintain paper or electronic documents containing PII to “develop a written policy for the destruction or proper disposal” of those documents. The policy must require that when the paper or electronic documents are no longer needed, they are destroyed by shredding, erasing, or otherwise modifying the PII in the documents to make the PII unreadable or indecipherable through any means. If your entity contracts with a recycler or disposal firm for destruction of documents with PII, the contract should require the company verify documents with PII are destroyed or disposed of as required by the Privacy Law.

Municipalities are already familiar with records retention and disposal policies,^iv and the specific disposal requirements of the Privacy Law can be rolled into existing policies,^v or set forth separately. The Privacy Law does not specify how its required written policy must be adopted; thus, each entity should determine whether to adopt its policy by action of its records custodian or another official, or by action of the governing body.

Affirmative Obligations to Protect PII
In addition, governmental entities that maintain, own or license PII, including those that use a third party as a service provider, shall implement and maintain reasonable security procedures and practices to protect PII that are appropriate to the nature of the PII and the nature and size of the entity. The entity must also require such procedures and practices of its third-party service providers, unless the entity agrees to provide its own security protection for PII it discloses to the third party. Therefore, municipalities will need to review their service agreements with their third-party vendors that receive PII to ensure those contracts include language to meet HB 1128 requirements. Contracts implicated by the new rules could include, for example, those with firms hired to process online payments or conduct employment background verifications.

New Security Breach Requirements
The Privacy Law’s most significant provisions are its new requirements to disclose and provide notice of a security breach. A “security breach” is an unauthorized acquisition of unencrypted computer data that compromises the security, confidentiality or integrity of “personal information” maintained by the government. There are specific exclusions specifying that a breach does not occur if the personal information is already available to the general public, or when it is accessed in good faith by a government employee or agent for a lawful government purpose.

Note, the Privacy Law’s security breach requirements apply to a breach of “personal information,” which is a broader term than “PII.” Specifically, “personal information” (PI) means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military, or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data.

“Personal information” also includes a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers that would permit access to an online account. Finally, personal information also includes a Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account.

HB 1128 requires the governmental entity, when it becomes aware that a security breach may have occurred, to conduct a prompt investigation to determine the likelihood that PI has been or will be misused. Unless it determines misuse has not occurred and is not likely to occur, it must give notice to affected Colorado residents. The notice must be given “in the most expedient time possible and without unreasonable delay,” but not later than 30 days after determining the breach occurred.

There are detailed provisions for what must be included in the notice, including information about the breach itself, a description of the PI that was compromised, and contact information for the governmental entity, consumer reporting agencies, and the Federal Trade Commission. Additionally, if the breach compromised any usernames, e-mail addresses and/or log-in credentials, the notice must direct the recipients to change their passwords and related information.

Depending on the extent of the breach, notices must also be sent to the Colorado Attorney General (if more than 500 residents are affected) and to nationwide consumer reporting agencies (if more than 1000 residents are affected). The Attorney General’s office has authority to enforce the Privacy Law and may bring an action for injunctive relief to enforce the new requirements. While HB 1128 includes provisions for the recovery of economic damages from non-governmental covered entities, these provisions are not in the portions of the bill applicable to governmental entities. Nonetheless, governments could still see potential claims for damages arising from breaches of their computer systems; for example, through claims of negligence or some other theory of liability.

The noteworthy takeaway from the Privacy Law’s breach requirements is that governments must act promptly to investigate any breach as soon as there is evidence that one has occurred. Depending on the scope of the security breach, the costs of investigation and providing notice can be substantial. HB 1128 prohibits governments from obtaining waivers of the notice requirements, and from charging notice costs to individuals.

CIRSA Cyber Coverage
To protect members against cyber liability risks, CIRSA coverages include Cyber (Data Privacy and Network Security) Coverage which has two parts. The first part, Security and Privacy Breach Liability coverage, applies to losses arising from a computer security failure including a compromise of personal information. It responds to claims arising from a security breach, and to defense costs from a regulatory investigation of a data breach. This coverage provides a per loss and annual aggregate Member coverage limit of $500,000. The second coverage part, Public Relations Expense, Privacy Breach Expense and Cyber Extortion Expense, applies to costs a member incurs for responding to a privacy breach, including both mandatory and voluntary notification expenses, attorney’s fees, investigation costs and credit monitoring subscriptions. This coverage provides a per loss and annual aggregate Member coverage limit of $100,000. CIRSA also offers Excess Cyber Liability coverage as an optional coverage for limits above these amounts.

CIRSA’s Cyber Coverage is congruent with obligations of the Privacy Law and intended to respond to claims and expenses a member may face in the event of a breach of personal information. Therefore, if your municipality has a security breach, contact CIRSA right away for help in assessing the situation and to discuss claims services and coverage issues.

If you have general questions about CIRSA’s Cyber Coverage, contact your CIRSA underwriting representative at 800.228.7136. If you need to report or discuss a claim, contact your CIRSA claims representative or the Claims Department at 800.228.7136. Claims can also be reported electronically through the claims section of the CIRSA website.

Conclusion & Resources for Preventing Data Breaches
While popular press stories tend to focus on massive data breaches of large corporations, local governments are not immune, and security breaches are increasingly common.^vi  With Colorado’s new Privacy Law, municipalities now have additional obligations to ensure they are properly protecting and disposing of personal information, and to timely act on security breaches. Members are encouraged review the Privacy Law and update their policies and procedures as needed.

To assist members with cyber risks, CIRSA has partnered with NetDiligence—a leader in data breach and cyber risk prevention—to provide members with free access to cyber risk management tools and resources. To access NetDiligence eRisk Hub tools on CIRSA’s website, click here. To lean more, also view our prior Coverage Line article, “Online Security Self-Assessment and Resources.”

———————————————
Notes:

ⁱ For example, Colorado Revised Statutes (C.R.S.) Section 24-72.3-102 has long imposed certain requirements intended to protect social security numbers. It states a public entity shall not issue a license, permit, pass, or certificate that contains the holder’s social security number, unless including it is needed to further the purpose of the document or is required by federal law. This section also says a public entity shall not request a person’s social security number over the phone, internet, or via mail unless receiving the SSN is required by federal law or is essential to the provision of services.

ⁱⁱ The Federal Trade Commission’s rules on identity theft, known as “Red Flag Rules,” include a definition of “creditor” that can affect municipal utility providers. Because of this, many municipal utilities already have identity theft prevention programs under the Red Flag Rules.

ⁱⁱⁱ The Privacy Law includes new rules for both businesses and governmental entities. The governmental rules, included in a new Article 73 to Title 24 of the Colorado Revised Statutes, begin on page 11 of the Act. Members should consult with their City/Town Attorney’s office for advice on specific legal requirements.

^iv For example, C.R.S. Section 24-72-203(1)(b)(I) requires the records custodian adopt a retention, archiving and destruction policy for digital records.

^v For example, many municipalities have adopted the Colorado Municipal Records Retention Schedule. That Schedule includes an Appendix with Methods of Records Destruction which could be used with revisions to reflect local procedures and Privacy Law requirements.

^vi According to a 2016 International City/County Management Association survey, over 40 percent of local government chief information officers responding reported an increase in computer security events in the current preceding twelve months.  For general interest, see the Government Technology website article, “Small Towns Confront Big Cyber-Risks.”