Colorado has enacted groundbreaking privacy and cybersecurity legislation that will require covered entities to implement and maintain reasonable security procedures, dispose of documents containing confidential information properly, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country.

The new law—which becomes effective on September 1, 2018—was spearheaded by the Colorado Attorney General’s office, which is charged with enforcing its requirements.  As a result of the legislation, covered entities should consider implementing written information security programs, third party vendor management controls, and incident response plans to best position themselves against potential enforcement actions and civil litigation in the future.

On Monday, June 4, 2018, at 12 PM PT/1 PM MT/3 PM ET, Ballard Spahr attorneys will hold a webinar to provide an in-depth analysis of the new law and to discuss what covered entities must do to ensure compliance.  Click here to register.

For a discussion of the new law’s most notable provisions, see our legal alert.


Arizona Governor Doug Ducey signed HB 2154 into law on April 11, 2018, amending and strengthening the state’s data breach notification law. Notably, the amended law significantly expands the definition of “personal information” to include a number of new data elements, including online account credentials, certain health information, and biometric data used to authenticate an individual when the individual accesses an online account.  The amended law also requires that notice be provided within 45 days after a determination that a “security system breach” has occurred and adds an obligation to notify the Arizona Attorney General and nationwide consumer reporting agencies if the security system breach involves more than 1,000 individuals.

On April 25, 2018, from 1 p.m. to 2 p.m. MT, Ballard Spahr attorneys will hold a webinar—Arizona Strengthens and Expands Data Breach Notification Law.  The webinar registration form is available here.

Click here for the full alert.

Alabama officially joined the data breach notification party last month when the state’s governor signed a data breach notification law that will take effect on June 1, 2018.  Although Alabama was the last state in the country to enact such a law, its new law will immediately take its place among the most stringent in the nation.

For a summary of the law’s provisions, see our legal alert.


In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers.  Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.

The bills are a direct reaction to Equifax’s data breach disclosure last summer.  Oregon, New York, Alabama, and Rhode Island have now joined the list of states considering new data breach legislation.  Such legislation has already been proposed in Arizona, Colorado, North Carolina, and South Dakota.

See our legal alert for an analysis of how the new bills could affect covered entities.

Appearing before the House Financial Services Committee yesterday at a hearing entitled “The Annual Report of the Financial Stability Oversight Council”  (FSOC), Treasury Secretary Mnuchin indicated that he intends to discuss the CFPB’s handling of its investigation of Equifax’s massive 2017 data breach with the FSOC.

We blogged yesterday about Reuters’ report that that the CFPB’s investigation has sputtered since it was authorized by former CFPB Director Cordray shortly after Equifax revealed the data breach.  We commented that the Reuters report was not surprising since there is substantial doubt as to whether the CFPB has enforcement jurisdiction over data breaches.  We also noted that even though the CFPB appears not to be involved in the Equifax matter, this has not stopped the FTC and state attorneys general from aggressively pursuing their own investigations.

Secretary Mnuchin’s statement that he plans to discuss the CFPB’s investigation with both the FSOC and Mick Mulvaney, President Trump’s designee as CFPB Acting Director, was made in response to concerns expressed by a Committee member about the CFPB’s inaction.  The FSOC, which was established by the Dodd-Frank Act to analyze and mitigate potential threats to the financial sector, is comprised of representatives from each of the federal financial regulators, including the CFPB.

The Consumer Law & Policy Blog, in a blog post today, quoted a CFPB spokesperson who stated that reports that the CFPB is not looking into the Equifax data breach and Equifax’s response are incorrect.  The blog post also referenced an American Banker article that suggested that the CFPB is taking a backseat to the FTC, the lead investigator, and rather than abandoning its investigation, may in fact be coordinating with the FTC.