Director's Corner

Commission Position Statement 21 Updated

If you maintain, own or license personal identifying information in the course of your business, vocation or occupation, you need to be aware of the strengthened protections for consumer data privacy created by the passage of House Bill 18-1128.

2018a_1128_signed.pdf
CP-21 Office Policy Manuals.pdf

Personal identifying information

Personal identifying information is defined as a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card; a government passport number; biometric data; an employer, student, or military identification number; or a financial transaction device. The law requires you to develop a written policy for the destruction or proper disposal of paper and electronic documents which contain personal identifying information. Your written policy is required to include a provision indicating that once your paper or electronic documents containing personal identifying information are no longer needed, that you will destroy or arrange for the destruction of those documents by shredding, erasing, or otherwise modifying the personal identifying information in the documents to make it unreadable or indecipherable through any means. If you have state or federal requirements regarding records retention, you need to comply with those regulations also.

The law requires that if you maintain, own or license personal identifying information, you must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of your business and its operations. If you use a third party provider to maintain your documents, you must require the third party provider to implement and maintain reasonable security measures that are appropriate to the nature of the personal identifying information and reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.

The law establishes disclosure requirements if you become aware of a potential security breach. If a breach of personal identifying information may have occurred, you are required to provide the affected Colorado residents with the following information, at a minimum:

  1. The date, estimated date, or estimated date range of the security breach;
  2. A description of the personal identifying information that was acquired or reasonably believed to have been acquired as part of the security breach;
  3. Information that the Colorado resident can use to contact you to inquire about the security breach;
  4. The toll-free numbers, addresses and websites for the consumer reporting agencies;
  5. The toll-free number, address, and website for the Federal Trade Commission; and
  6. A statement that the Colorado resident can obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes.

Security Breach Issues

If you have a possible security breach and you determine that the type of information that has been misused or is reasonably likely to be misused is a Colorado resident’s username or email address in combination with a password or security questions and answers, that would allow access to an online account, you must direct the affected person to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account(s) that use the same username, email address, password, security question or answer. This notice must occur as quickly as possible and without unreasonable delay, but must occur no later than 30 days after the date the security breach was determined to have occurred. Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. There are alternative disclosure requirements if you provided the Colorado resident with log-in credentials for an email account that you furnished.

Notification rights and responsibilities cannot be waived, and the cost to make the notification cannot be passed on to the affected Colorado residents. If the security breach appears to have affected 500 Colorado residents or more, you are required to notify the Colorado Attorney General as quickly as possible, but no later than 30 days after the security breach is determined to have occurred. If you must notify more than 1,000 Colorado residents of a security breach, you are also required to notify all consumer reporting agencies, which compile and maintain files on consumers on a nation-wide basis, of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. You are not required to provide the names or other personal identifying information of the security breach notice recipients to the consumer reporting agencies. The consumer reporting agency provision does not apply if you are a financial institution subject to Title V of the Gramm-Leach-Bliley Act.

Remember

This article doesn’t summarize all aspects of the law and the Division recommends that you consult with an attorney regarding how best to comply with its requirements. If you are an independent or employing broker, you will need to update your office policy manual to address the maintenance, protection and destruction of personal identifying information, along with the notification requirements. The Real Estate Commission updated Commission Position Statement 21 on December 4, 2018 to include the data privacy requirements to your office policy manuals.

Director Marcia Waters

About the Director

Marcia Waters has been with the Colorado Division of Real Estate since August 2005. Marcia started with the Division as a Criminal Investigator for the Real Estate Commission and was promoted to Chief Investigator in 2006. In 2007, she was promoted to the position of Investigations and Compliance Director. In that capacity, she managed the investigatory and settlement programs for the Division. On October 15, 2010, she was promoted to the position of Division Director. The Division of Real Estate licenses and regulates approximately 50,000 real estate professionals. Ms. Waters serves as the administrator for the Real Estate Commission, the Board of Real Estate Appraisers, the Board of Mortgage Loan Originators, the Community Association Manager Program and the HOA Information and Resource Center. Ms. Waters manages the Division’s $6.5 million budget, oversees a staff of approximately 57 full-time employees, and establishes the direction of Division programs based on market and industry trends.