The Colorado Division of Securities Issues New Rules — Effective July 31, 2018
The Crowdfunding Small Offering Exemption and Other Changes

By Herrick K. Lidstone, Jr., Burns, Figa & Will, P.C., Greenwood Village, CO

The Colorado Securities Act, C.R.S. § 11-51-101 et seq. (the “CSA”), is administered by the Securities Commissioner (C.R.S. § 11-51-701) subject to the oversight of the Colorado Securities Board (C.R.S. § 11-51-702.5(4)).

The CSA, like the blue sky laws in many other states, has a broad applicability to “securities” and:

1. Requires the availability of a registration or an exemption from registration before securities are offered or sold to investors in or from Colorado;
2. Requires the licensing of broker-dealers, investment advisers, and their representatives involved in securities transactions in Colorado; and
3. Provides significant enforcement powers to the Commissioner including bringing cease and desist actions (C.R.S. § 11-51-606(1.5)), or civil or administrative enforcement actions (C.R.S. § 11-51-601, -602, and -606).

Under C.R.S. § 11-51-603, the Commissioner may refer evidence of a violation of the CSA that constitutes a felony or misdemeanor to the attorney general’s office or the appropriate district attorney for consideration of prosecution.

The Commissioner has adopted rules interpreting the CSA which are found at 3 CCR 704-1, available through the Colorado Secretary of State’s website. (C.R.S. § 24-4-103(11) requires that the Secretary of State maintain the official publication of the state’s administrative rules.) The Commissioner adopted new rules in 2017 which I discussed in the August 2017 Business Law Section newsletter available at cobar.org/businesslaw. This article discusses new rules adopted by the Commissioner which became effective July 31, 2018.

In a rule-making process that commenced in October 2017 with a “crowdfunding forum” hosted by the Commissioner, the Colorado Division of Securities (the “Division”) has issued significant amendments to its rules. The Division published its proposed rules on March 2, 2018, held a hearing on the proposed rules on May 1, 2018, after receiving written comments from five people, made certain amendments to the proposed rules, and published the final rules after completing the administrative approval process on July 12, 2018. These rules are available on the Secretary of State’s website at sos.state.co.us/CCR/eDocketDetails.

The following sets forth a review of the significant amendments to the Division’s rules, and some questions left unanswered or unaddressed, starting with the significant and potentially beneficial changes to the rules under the Colorado Crowdfunding Act (C.R.S. § 11-51-308.5, the “CCFA”).

The New Small Crowdfunding Offering Exemption

Colorado enacted the CCFA in 2015 with a legislative finding that “[s]tart-up companies play a critical role in creating new jobs and revenues; and [l]ack of access to capital is an obstacle to starting and expanding small business, inhibits job growth, and has negatively affected the state’s economy.” C.R.S. § 11-51-308.5(2)(a). Unfortunately, it’s not working, as I stated at a forum conducted by the Securities Commissioner in October 2017 and in written testimony before the Division, “Crowdfunding in Colorado Is Not Working – A Solution Proposed” (paper available at ssrn.com/abstract=2933748). As I expressed in the paper, at the conference, and in my written testimony, the rules regulating crowdfunding initially drafted to meet the escrow-agent and online-intermediary requirements of the CCFA met the complicated requirements of the CCFA, but were too complex. As a result, not a single “crowdfunding offering” has been completed in the two and a half (and now) three years since the enactment of the CCFA.

One of my suggestions was that the Commissioner act without further legislative authority to modify the rules to provide a crowdfunding exemption that might be more useful and user-friendly. I suggested that the Commissioner could use his rulemaking authority in C.R.S. § 11-51-309. In fact, because of the procedural difficulties and lack of precision in the legislation process, I believe that Commissioner rulemaking was the preferable way to proceed. In adopting the Crowdfunding Small Offering Exemption, that is the direction the Commissioner took.

Rule 51-3.27. Crowdfunding – Small Offering Exemption. In response to suggestions by several commentators for a rule to allow crowdfunding for a smaller dollar amount with significantly less regulation, the Commissioner added Rule 51-3.27 to the proposed rules establishing the “Crowdfunding – Small Offering Exemption.” This new rule reads as follows:

Upon approval of the Commissioner, an issuer who files a Form CF-1, a consent to service of process, and a Form CF-2 as required by Rules 51-3.20, 51-3.21 and 51-3.22, pays the required fees, maintains issuer records required by Rule 51-3.23, [meets] the additional issuer requirements set forth in Rule 51-3.24 and is not disqualified as contemplated in Rule 51-3.30, and the issuer is not seeking to raise not more than $500,000 in any twelve-month period, the issuer may proceed with the offering under these rules without imposing a minimum offering and without using an online intermediary.  [The rule as adopted does not include the italicized word “meets” but likely should.]

While this seems to be an excellent step in the correct direction, this rule leaves at least two questions:

1. The CCFA requires a notice filing of the Form CF-1 and the disclosure package in Form CF-2. While the Commissioner was always entitled to take action where the filings were not made or were found to violate provisions of the Colorado Securities Act, there was no “approval process” included in the rules or the statute. Rule 51-3.27 now seems to contemplate an “approval of the Commissioner” where such a process does not yet exist.
   
   
2. While it seems to be implicit but not clearly stated, Rule 51-3.27 seems to exempt issuers using the Crowdfunding – Small Offering Exemption from the escrow agent requirements in addition to the other requirements that are specifically addressed in the new rule.  It would have been helpful for the last sentence of Rule 51-3.27 to have stated that “the issuer may proceed with the offering under these rules without imposing a minimum offering and without using an online intermediary or any escrow agent.”  (The escrow requirement is established in the CCFA and the requirements for the escrow agreement in Rule 51-3.24.F.)

Notwithstanding those questions, the new Small Offering Exemption will hopefully open up the ability of small business capital formation to raise capital from a large number of people under the CCFA. Given the small amount of capital that can be raised under the new exemption, it is unlikely attorneys will be involved; however, the Commissioner’s Form CF-2, if competently completed, provides good disclosure to potential investors. (CCFA issuers must also file a Form CF-1 and a consent to service of process with the Commissioner, as well as pay a fee.)

While the Small Offering Exemption may result in it being easier for small businesses to raise capital in smaller investment amounts from a large number of people without violating the CSA, the fact remains that the small business may have a large number of owners of various sizes.  As noted in another article (Crowdfunding In Colorado – One Person’s Opinion, available at ssrn.com/abstract=3052254):

The good thing about crowdfunding (however it is accomplished) is that an issuer can raise capital from a number of people, from tens to hundreds to perhaps a greater number.

The bad thing about crowdfunding is that an issuer can raise capital from a number of people, from tens to hundreds to perhaps a greater number. Investors have a belief that they should be kept informed about the progress of the business – and the rules of the CCFA require that be done. Any modified rules creating greater flexibility for smaller offerings will likely continue the reporting requirements in the CCFA.

The CCFA requires that the issuer “maintain all records with respect to any offering conducted pursuant to the [CCFA] as the securities commissioner may by rule require.” C.R.S. § 11-51-308.5(3)(a)(IV)(E). The CCFA also requires that the issuer provide a quarterly report “free of charge” to all investors as set forth in C.R.S. § 11-51-308.5(3)(a)(XIII). The Commissioner has expanded and explained these requirements in Rule 51-3.23 (Crowdfunding – Issuer Records) and Rule 51-3.24.I (Additional Issuer Requirements) by requiring that the report be provided within 45 days after the end of each quarter.

Karl Dakin (InvestLocalColoardo.com, an online intermediary) has suggested certain pragmatic problems of an issuer conducting a crowdfunding campaign without an intermediary. As Mr. Dakin notes, typically, a business lacks the time, money or knowledge to conduct a campaign that involves a large number of people – especially where a $100,000 offering with a minimum investment of $100 could result in 1,000 investors. Will the issuer, with its staff oriented toward business operations, be able to manage the investors, meet the regulatory requirements for delivering reports, and otherwise respond to investor issues? An online intermediary or other service-provider can be hired to provide these services to the small business, but at an additional cost. Mr. Dakin has stated that the removal of the intermediary may only work for those businesses with a good management team that can build and manage a crowd of investors or which is willing to incur the added expense of hiring an experienced professional to help the issuer manage the crowd of investors following the completion of the campaign – and perhaps during the Small Offering Exemption campaign.

Rule 51-3.20.E (Notice Filing Review) is a new rule that gives the Commissioner the ability to reject any “crowdfunding notice filing pursuant to section 11-51-308.5(3)(a)(IV)(A), that fails to comply with, and/or violates section 11-51-308.5, C.R.S., rules under the [CCFA], the Colorado Securities Act, rules under the Colorado Securities Act, and/or any order or orders issued by the securities commissioner.” In rejecting the notice filing, the Commissioner may also “require that the issuer correct the incompliance and/or violation(s), and re-submit the notice filing.” Of course, this necessarily implies that the Commissioner has the right to review and reject a “notice filing” (which seems somewhat inconsistent). Nevertheless, the rules do not require that the Commissioner review filings which, apparently, the Commissioner may choose to do in his discretion.

The Commissioner has always had the ability to investigate and enforce compliance with the Colorado Securities Act under Part 6 of the Act (Enforcement and Civil Liability) by investigation, § 11-51-601, injunction (§ -602), criminal enforcement (§ -603), civil enforcement (§ -604), and administrative enforcement (including cease and desist authority, § -606). The Commissioner made this enforcement right even clearer in the crowdfunding context in new Rule 51-3.24.M which provides that failure to comply with the crowdfunding rules leads to the possibility of Commissioner enforcement.

Nevertheless, Rule 3.20.E is appropriate in the crowdfunding context because it gives the Commissioner an alternative approach short of a formal enforcement action – allowing the Commissioner to identify a deficient notice filing and advising the person submitting the notice filing to correct it. The Commissioner may do this without bringing a formal enforcement proceeding. This could prove to be especially useful in connection with the CCFA Small Offering Exemption where one would expect that the small business issuers would be less likely to use attorney services for such a small offering and may, in good faith, make incomplete or erroneous filings.

Unfortunately, as written, there is no time period within which the Commissioner must act. Since the CF-1 and CF-2 filings (as well as the consent to service of process and the filing fee) must be made ten days before the commencement of the crowdfunding offering (even in the small offering exemption), it is possible that the issuer may commence the offering before receiving notice from the Commissioner – perhaps well before. [See Rules 51-3.21 (consent to service of process), 51-3.22.A (Form CF-2 disclosure form), 51-3.20.A (fee), and 51-3.20.C and statute (Form CF-1)]. Hopefully the Commissioner will act quickly upon receipt of these crowdfunding notice filings.

Other Amendments to the Rules to Facilitate Crowdfunding

In response to comments and his forum conducted in October 2017, the Commissioner made other changes to the rules to facilitate crowdfunding as originally contemplated – through an online intermediary with an escrow agent:

Rule 51-3.22.C required that the issuer provide audited financial statements for crowdfunding offerings in excess of $1,000,000. As amended, the financial statements need only be reviewed. While certified public accountants must be involved in either reviewed or audited financial statements, the review does not have to be completed in accordance with generally accepted auditing standards. The review gives lesser assurance than an audit, but also is significantly less expensive. An audit also requires the CPA to express a positive assurance while in a review, it requires the CPA to express a limited assurance. Also, when it comes to an audit, the CPA would state his opinion about the financial statements as a whole; whereas, a review does not since it doesn’t undertake the process of understanding the entity’s system of internal controls. While this change may not be consistent with the statutory requirements found in C.R.S. § 11-51-308.5(3)(a)(II)), it is within the Commissioner’s authority under C.R.S. § 11-51-309.

Rule 51-3.24.F was amended to expand the definition of persons eligible to act as an escrow agent in an offering under the Colorado Crowdfunding Act to permit “an unaffiliated depository institution or other escrow agent approved by the commissioner.” “Depository institution” is defined in § 11-51-201(5). This also gives the Commissioner the authority to broaden the persons who may be permissible escrow agents – perhaps to include law firms or accounting firms in the appropriate circumstances.

Rule 51-3.24.F.1.f implicitly permits the Commissioner to waive the crowdfunding minimum requirement. The first place that the Commissioner has done so is within the new “Small Offering Exemption” found in Rule 3.27.

The new rules also repeal former Rule 51-3.27 which established online intermediary supervisory procedures. This change may help make crowdfunding under the CCFA more flexible and therefore more available.

Previously, Rule 51-3.29.A.2 prohibited the online intermediary from receiving any financial interest in an issuer as a result of the crowdfunding offering. As amended, Rule 51-3.29.A.2 permits the online intermediary to receive a financial interest in the issuer if disclosed on Form CF-2. This change also may help to make crowdfunding more available by reducing the cash cost and potentially putting the interests of the online intermediary (as an investor) in line with the other purchasers of crowdfunded securities. This also points out the importance of accurate and complete disclosure.

C.R.S. § 11-51-308.5(3)(a)(XI) states that the CCFA exemption shall not be used in conjunction with any other Colorado securities offerings during the preceding twelve-month period which is “part of the same issue.” In 2017, the Commissioner adopted a rule to determine when crowdfunding offerings should be integrated with other private offerings under the Colorado Securities Act.

Rule 51-3.23.K (based on federal SEC Regulation D, Rule 502(a)) states that whether “offers, offers to sell, offers for sale, and sales of securities are part of the same issue (i.e., are deemed to be integrated) is a question of fact and will depend on the particular circumstances.” When crowdfunding under the CCFA becomes an important source of capital, this Rule will be extremely important, and beneficial.

Small Offering Exemption Summary. Because of the limited amount that can be raised through the small offering exemption under Colorado’s crowdfunding rules, it will be difficult for small businesses to afford legal advice throughout the process. Fortunately, Rule 1.2(c) of the Colorado Rules of Professional Conduct and Comment [6] through [8] contemplate a lawyer limiting the scope of her client representation with the informed consent of the client. This may provide a much more reasonable basis for a lawyer’s fee and permit the lawyer to disclaim typical securities liability where the lawyer, pursuant to the limited scope of the representation, merely provides the small business advice about complying with the rules and preparing the disclosure documents (Form CF-1 and CF-2). It will still be an expense to the small business, however.

Additionally, were I counselling a small business seeking capital under the Smaller Offering Exemption, I would suggest to the client that the business:

1. Aim to raise 30% to 50% more than your carefully-prepared business plan indicates that you will need (which of course presumes the preparation of a carefully prepared business plan);
2. Obtain and pay for assistance in preparing, filing, and obtaining Securities Commissioner approval of the disclosure documents to be filed with the Securities Commissioner (the CF-1 and CF-2), and hopefully the assistance is from someone who understands the disclosure process and regulatory process);
3. Limit the investment opportunity – while a number of investors at $50 apiece sounds interesting, my experience in other circumstances shows that the smaller investors may make the most noise.  I would recommend looking at people who can easily afford a $500 or (even better) a $1,000 investment.
4. Be prepared for the post-offering disclosure and reporting obligations.

While the Smaller Offering Exemption may be a game changer in Colorado for small business capital formation, there are risks associated with the process which small businesses, seeking to use the exemption, must appreciate.

Other Significant Rule Changes

Rule 51-3.9 defines Colorado’s exemption for the secondary trading of securities (that is, non-issuer trading) in the public markets. Since August 19, 2016, Colorado had included securities included in the OTCQX and OTCQB trading markets of the OTC Markets Group, Inc. (otcmarkets.com) by no action letter (drive.google.com/file/d/0BymCt_FLs-RGMDQ2TUNsZHl6NEE/view). These markets are now included in the rule so that securities traded on the OTCQX and OTCQB are subject to the secondary trading exemption found in C.R.S. § 11-51-308(1)(b)(I).

Rule 51-3.13. C.R.S. §11-51-308(1)(p) currently excludes Regulation A offerings from the registration exemption in 11-51-308(1)(p). In Regulation A+, the Congress (in the JOBS Act of 2012) and the SEC made it clear that Tier 2 offerings were “covered securities” under Section 18(b)(3) of the Securities Act of 1933 and therefore exempt from regulation under state law. The changes to the rules make it clear that the exclusion from the exemption only applies to Regulation A, Tier 1 offerings. The rules added certain reporting provisions for offerings made under Tier 2 of federal Regulation A.

The Commissioner modified Rule 51-6.10 to make it clear that at all hearings an individual may appear on his or her own behalf or be represented by an attorney authorized to engage in the practice of law in Colorado. Any other person or entity who is a Party must be represented by an attorney who is licensed or otherwise authorized to engage in the practice of law in Colorado, except as described by C.R.S. § 13-1-127.

The exception set forth in § 13-1-127 can be important and potentially far-reaching. It provides that representation by an attorney is not necessary in the case of a closely-held entity, and that:

• [A] closely held entity may be represented before any court of record or any administrative agency by an officer of such closely held entity if:
  
  
  1. The amount at issue in the controversy or matter before the court or agency does not exceed fifteen thousand dollars, exclusive of costs, interest, or statutory penalties, on and after August 7, 2013; and
     
     
  2. The officer provides the court or agency, at or prior to the trial or hearing, with evidence satisfactory to the court or agency of the authority of the officer to appear on behalf of the closely held entity in all matters within the jurisdictional limits set forth in this section.

A closely held entity is one with no more than three owners. C.R.S. § 13-1-127(1)(a). This is potentially applicable to cease and desist proceedings brought by the Commissioner where there is no amount in controversy – just the authority of the Commissioner to enter a cease and desist order.

Changes to Rule 51-6.3 Governing Cease and Desist Proceedings

In connection with cease and desist orders, two other changes to Rule 51-6.3 are important and solidify the upper-hand held by the Commissioner in bringing cease and desist actions. C.R.S. § 11-51-606(1.5) was enacted in 2001 to permit the Colorado Securities Commissioner, through his staff, to bring expedited procedures requiring respondents to cease and desist violating the Colorado Securities Act. See Lidstone and Joseph, “Putting the Brakes on Securities Fraud,” 30 The Colo. L., No. 9 at 73 (September 2001).

To commence a cease and desist action, the Division staff issues an order to show cause and selects whether to present it to an administrative law judge (“ALJ”) or to a hearing panel appointed by the Colorado Securities Board (established by C.R.S. § 11-51-702.5). The hearing must then be held not earlier than ten nor later than 21 days following mailing of the notice to the respondent. C.R.S. § 11-51-606(1.5)(d)(I). The notice to the respondent must include a copy of the order to show cause, the factual and legal basis for the order, and the date set for hearing on such order. New Rule 51-6.3.D.9 provides:

In the case of any hearing not continued by agreement of the parties, the hearing shall conclude no later than twenty-six (26) calendar days following the service or transmission of the Notice … In the case of any hearing continued by agreement of the parties, the hearing shall conclude no later than forty (40) calendar days following the service or transmission of the Notice … The Hearing Panel or Administrative Law Judge shall not evade the time limits contained herein by commencing the hearing within the time requirements and then recessing or continuing the hearing, or conducting any portion of the hearing, past the time limits for concluding the hearing set forth herein. [Emphasis added.]

Apparently the Division has had difficulties with the hearing panels or ALJs evading the time limits.

Rule 51-6.3.B.9 addresses discovery in cease and desist proceedings. During the first years of exercising cease and desist authority, the rules permitted discovery “upon a showing by a Party of extraordinary need for such discovery, or prejudice to such Party.” [Rule 51-6.3.E.8, since repealed.] At that time, the hearing panel managed discovery in a manner believed not to be abusive to either side, but to protect the rights of the parties to a fair hearing.

In the late 2000s, the Division modified the rule to prohibit any discovery in the context of a cease and desist hearing. During the rule amendment process, a commentator suggested that discovery is a fundamental right in adversary proceedings and that the Hearing Panel or the ALJ, using their authority under (among other rules) Rule 51-6.3.D.5 and D.6 have the authority to limit and eliminate discovery which, in their opinion, appears to be abusive. While the language of Rule 51-6.3.B.9 was changed, the effect continues to be to prevent discovery in cease and desist proceedings.

Conclusion

The new rules adopted by the Colorado Securities Commissioner under the Colorado Securities Act are important to all business practitioners since almost every business financing may involve the offer and sale of securities subject to regulation under the Colorado Securities Act. As described in the Division’s website, colorado.gov/pacific/dora/node/94336, they are very active in the regulatory and enforcement area. Hopefully the changes to the rules under the CCFA, and especially the new small offering exemption, will ease capital formation woes for Colorado’s small businesses.

Protecting Personal Identifying Information in Colorado — The Rules Have Changed

By Lauren M. Collins, Esq., Burns, Figa & Will, P.C.
& Jeremy Schupbach, Director, Legislative Relations, Colorado Bar Association

On September 1, 2018, Colorado House Bill 18-1128 (“HB 1128”) went into effect. HB 1128 essentially heightens Colorado covered entities’ obligations to implement plans to protect and destroy personal identifying information (“PII”) they maintain, own or possess. HB 18-1128 creates a number of new expectations and definitions for which lawyers, and the clients they advise, must be aware.

Personal Identifying Information 

As a result of HB 1128, C.R.S. § 6-1-713(2)(b) now defines PII to mean: “a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data, as defined in section 6-1-716 (1)(a); an employer, student, or military identification number; or a financial transaction device, as defined in section 18-5-701(3).”

Covered Entity

HB 1128 modified the term “covered entity” in C.R.S. § 6-1-713(2)(a) to more broadly include any individual, corporation, partnership, limited liability company or any other legal or commercial entity “that maintains, owns, or licenses [PII] in the course of the person’s business, vocation, or occupation.” Each of us in Colorado, from solo practitioners to large entities, should assume that the we, or the business we operate is a “covered entity” and that we are responsible for compliance. A key point here is that the legislature did not define “maintain” making it unclear whether the intent is to include simple possession of PII (which could be broadly interpreted to include an email correspondence unread in your inbox) or PII actually curated and kept by covered entities. A court would likely look to the dictionary definition of “maintain,” which one could conservatively read to require more than passive possession. However, when developing a written policy, it may be prudent to go beyond the dictionary definition while not drafting the policy to be so inclusive that it cannot be complied with.

Previously, the state’s PII definition applied to “each public and private entity … that uses documents during the course of business that contain [PII]”, and required that each such entity “develop a policy for the destruction or proper disposal of paper documents containing PII.”

Required Policies and Procedures

As a result of HB 1128, covered entities that maintain, own or license PII of Colorado residents must do more than merely “develop a policy for the destruction or proper disposal of paper documents containing PII.” This new definition now applies whether or not the entity is organized under Colorado law or even doing business in Colorado. Under HB 1128, each covered entity must:

• Develop written policies for the destruction and maintenance of PII; and
• Implement and maintain reasonable security procedures and practices to safeguard PII.

To look more closely at these two basic requirements:

“[D]evelop a written policy for the destruction or proper disposal of those paper and electronic documents containing PII.”

In describing the written policy, C.R.S. § 6-1-713(1) requires that the written policy must require that PII in its control or possession be destroyed, or the covered entity must arrange for the destruction of the PII when the PII is “no longer needed.” “Destruction” is defined by reference to “shredding, erasing or otherwise modifying the PII to make it unreadable or undecipherable through any means.”

In addition to developing the required written policy, under C.R.S. § 6-1-713.5(1), each covered entity that maintains, owns, or licenses PII “of an individual residing in [Colorado]” must:

“[I]mplement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII and the nature and size of the business and its operations.”

This clearly gives smaller businesses the right to scale their compliance – but any loss or unauthorized access to PII will likely result in greater liability to the smaller business with less access to cutting edge protection, than it would to a larger business that has the ability to allocate more funds to purchase more robust protection. The intention of the proponents of HB 18-1128 was to create a living law that is continuously updated through case law, and therefore is intentionally left broad and open to interpretation, both by covered businesses and entities, as well as by the Attorney General.

Third-Party Service Providers

A covered entity may contract with a third-party service provider to maintain PII on its behalf.  This may include a 401(k) provider, a payroll company, or other third-party service provider.  That does not, however, let the covered entity off the hook.  C.R.S. § 6-1-713.5(2) requires that the covered entity contracting with the third-party service provider:

[S]hall require that the third-party service provider implement and maintain reasonable security procedures and practices that are:

• Appropriate to the nature of the [PII] disclosed to the third-party service provider; and
• Reasonably designed to help protect the [PII] from unauthorized access, use, modification, disclosure, or destruction.

Thus, the covered entity is potentially liable for breaches resulting from a third-party service provider’s action (or inaction) unless the covered entity can show that it accomplished the appropriate due diligence – and we do not know what that term means. Should each covered entity obtain a certification from each third-party service provider each year? The vague language provides some necessary latitude, but should not be interpreted as a “safe harbor” should a breach occur. Until the courts have had an opportunity to interpret the statute, best practice would be to approach this in the most conservative manner keeping the legislative intent in mind when developing policies and procedures.

C.R.S. § 6-1-713(3) and § 6-1-713.5(4) provide that a covered entity that is regulated by state or federal law and that maintains procedures for disposal of PII that complies with the guidance established by the applicable state or federal regulator “is in compliance with this section.”

Notice of Breach of Security for Personal Information

In a provision that is among the most stringent in the United States, C.R.S. § 6-1-716(2) now provides that any covered entity must give notice of a breach of “personal information” security “to the affected Colorado residents” “not later than thirty days after the date of determination that a security breach occurred” unless the covered entity determines, after conducting “in good faith a prompt investigation” that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur.” The definition of “personal information” has some overlap with the definition of PII (defined above) but includes some additional items as well. As defined in C.R.S. § 6-716-1(g), “personal information means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident [unless encrypted or otherwise unreadable]: social security number, student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; biometric data;” and even encompasses a Colorado resident’s email address in combination with a password or security questions and answers that would permit access to an online account, and a Colorado resident’s account number or credit or debit card number in combination with any required code that would permit access to that account.

It is important to note that where a covered entity does not even know that a breach has occurred for a period of time, it is still required to notify affected Colorado residents within thirty days of the breach. If that period does not leave sufficient time for the covered entity to conduct a good faith investigation, then notification to all Colorado residents should be made. C.R.S. § 6-1-716(2)(f) also requires the covered entity to notify the Colorado attorney general of the breach.

“Notice” is broadly defined in C.R.S. § 6-1-716(1)(f) to include any of a list of, and sometimes a combination of, methods to notify customers or clients, including mail, telephone, email, posting “conspicuously” on a website or in a “major statewide media.” Notice must be made by the covered entity “in good faith, in the most expedient time possible and without unreasonable delay” and without charge to the affected persons. C.R.S. §§ 6-1-716(2)(a.5) and -716(c). If more than 1,000 Colorado residents are involved in the data breach, C.R.S. § 6-1-716(d) requires that the covered entity “also notify, in the most expedient time possible and without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.”

As now required in C.R.S. § 6-1-716(2)(a.2), the notice must contain information about the date/dates of the breach, a description of the personal information that was subject to the breach, and various methods by which the Colorado residents subject to the breach can obtain more information. Where passwords and similar access points are thought to be compromised, C.R.S. § 6-1-716(2)(a.3)(1) requires the notice also contain direction to the recipients to change passwords and other log-in credentials.

Notice to the affected persons may only be delayed “if a law enforcement agency determines that the notice will impede a criminal investigation” and the agency “has notified the covered entity … not to send notice.”

HB 1128 also added article 73 to Title 24 imposing similar requirements on Colorado governmental agencies who have and now must protect personal information.

Your, and Your Clients’, Next Steps

All covered entities – and that generally means all of us – that maintain, use or license PII or personal information of Colorado residents should evaluate their data protection and data breach policies.  Covered entities are not only entities located in Colorado or that are formed under Colorado law, but are defined without geographic limitation in C.R.S. § 6-1-102(6) – but only with respect to whether the PII being maintained relates to Colorado residents.

• If any covered entity (not exempt because of the federal or state law requirements found in C.R.S. § 6-1-713(3) and § 6-1-713.5(4)) do not have written policies in place, they should be implemented in order to comply with the heightened obligations.
• Having policies is not, however, the only answer. Appropriate procedures have to be established to maintain the security and integrity of that PII – both in house at the covered entity and at the covered entity’s third-party service providers.

This is a new law, and there is much to be interpreted. Nevertheless, as set forth in the September 7, 2018, Denver Business Journal (article entitled Consumer data ‘stakes are higher’ by Andrew Dodson at Page A17), the stakes are now much higher for companies doing business with Colorado residents involving PII, and the legislation requiring “reasonable security procedures” was “written vaguely on purpose.”  Whether that vagueness helps the smaller business owner to downsize some requirements, or some degree of strict liability will be applied remains to be seen.  At this time there is no best practice or guidance available to entities now covered under HB 1128. With time and case law developments, the best practices will become more evident. In the meantime, according to proponents of the legislation, you should “write policies you can be proud of, and in the event of a data breach be able to demonstrate to the Attorney General that you have created policies, procedures and documents that demonstrate you took this seriously and thought through the issue.”

HERRICK K. LIDSTONE, JR.,
RECEIVES THE CATHY STRICKLIN KRENDL BUSINESS LAWYER
LIFETIME ACHIEVEMENT AWARD

The Executive Council of the CBA Business Law Section considered several excellent nominations for the Cathy Stricklin Krendl Business Lawyer Lifetime Achievement Award and voted to recognize Herrick K. Lidstone, Jr. for his many years of furthering the development of practical, comprehensive and well-drafted business related legislation, for writing about and teaching Colorado business law and for his devotion to enduring principles of professionalism in his legal career.

In deciding who deserves the Award, the Executive Council considers, among other attributes, the recipient's intellectual and professional excellence in the practice of or scholarship on Colorado business law; the recipient's generosity of spirit as reflected in the recipient's participation in and contribution to the advancement of Colorado business law; the recipient's efforts to enhance the general quality of business law practice by Colorado lawyers; and the recipient's devotion to the principles of legal professionalism, all manifested consistently over years of endeavor.
Herrick is a perfect example of the person who deserves the Award.

CBA-CLE Upcoming Programs

Recent Federal Income Tax Developments for M&A and Choice of Entity Decisions

Colorado's NEW Data Privacy Law — What It is and Its Impact on You and Your Clients

Ethics and Professionalism in the Practice of Law

CBA-CLE Business Law Homestudies

2018 Legislative Update

2018 Business Law Institute

Contributions for future newsletters are welcome.
Contact Ed Naylor at [email protected], 303-292-2900.
This newsletter is for information only and does not provide legal advice.