“Biometric data” means unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account.

“Determination that a security breach occurred” means the point in time at which there is sufficient evidence to conclude that a security breach has taken place.

“Encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.

“Governmental entity” means the state and any state agency or institution, including the judicial department, county, city and county, incorporated city or town, school district, special improvement district, authority, and every other kind of district, instrumentality, or political subdivision of the state organized pursuant to law. “Governmental entity” includes entities governed by home rule charters. “Governmental entity” does not include an entity acting as a third-party service provider as defined in subsection (1)(i) of this section.

“Medical information” means any information about a consumer's medical or mental health treatment or diagnosis by a health care professional.

“Security breach” means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a governmental entity. Good faith acquisition of personal information by an employee or agent of a governmental entity for the purposes of the governmental entity is not a security breach if the personal information is not used for a purpose unrelated to the lawful government purpose or is not subject to further unauthorized disclosure.

“Third-party service provider” means an entity that has been contracted to maintain, store, or process personal information on behalf of a governmental entity.

The breach of encrypted or otherwise secured personal information must be disclosed in accordance with this section if the confidential process, encryption key, or other means to decipher the secured information was also acquired in the security breach or was reasonably believed to have been acquired.

A governmental entity that is required to provide notice pursuant to this subsection (2) is prohibited from charging the cost of providing such notice to individuals.

Nothing in this subsection (2) prohibits the notice described in this subsection (2) from containing additional information, including any information that may be required by state or federal law.

If a governmental entity uses a third-party service provider to maintain computerized data that includes personal information, then the third-party service provider shall give notice to and cooperate with the governmental entity in the event of a security breach that compromises such computerized data, including notifying the governmental entity of any security breach in the most expedient time and without unreasonable delay following discovery of a security breach, if misuse of personal information about a Colorado resident occurred or is likely to occur. Cooperation includes sharing with the covered entity information relevant to the security breach; except that such cooperation does not require the disclosure of confidential business information or trade secrets.

Notice required by this section may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and the law enforcement agency has notified the governmental entity that operates in Colorado not to send notice required by this section. Notice required by this section must be made in good faith, in the most expedient time possible and without unreasonable delay, but not later than thirty days after the law enforcement agency determines that notification will no longer impede the investigation, and has notified the governmental entity that it is appropriate to send the notice required by this section.

If a governmental entity is required to notify more than one thousand Colorado residents of a security breach pursuant to this section, the governmental entity shall also notify, in the most expedient time possible and without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by the federal “Fair Credit Reporting Act”, 15 U.S.C. sec. 1681a(p), of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. Nothing in this subsection (2)(i) requires the governmental entity to provide to the consumer reporting agency the names or other personal information of security breach notice recipients. This subsection (2)(i) does not apply to a person who is subject to Title V of the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. sec. 6801 et seq.

A waiver of these notification rights or responsibilities is void as against public policy.

The breach of encrypted or otherwise secured personal information must be disclosed in accordance with this section if the confidential process, encryption key, or other means to decipher the secured information was also acquired or was reasonably believed to have been acquired in the security breach.

A governmental entity that is regulated by state or federal law and that maintains procedures for a security breach pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section; except that notice to the attorney general is still required pursuant to subsection (2)(k) of this section. In the case of a conflict between the time period for notice to individuals, the law or regulation with the shortest notice period controls.