September 2018
Items in red require registration or login
New Colorado Law Creates Strict Liability for Security Breaches of Tenant Personal Information
Don’t Be Careless and Lose in the Name Game
View Newsletter »Volume 19 • Issue9 SEPTEMBER 2018
Landlord
News
3600 South Yosemite Street Suite 828, Denver, Colorado 80237
thsnews@thslawfirm.com www.thslawfirm.com
Denver Phone 303.766.8004 FAX Completed Eviction Forms To: 303.766.1181 or 303.766.1819
Colorado Springs Phone 719.550.8004 FAX Completed Eviction Forms To: 719.227.1181
NEW COLORADO LAW CREATES
STRICT LIABILITY FOR SECURITY
BREACHES OF TENANT
PERSONAL INFORMATION
All Landlords Need Appropriate Written
Policy To Be In Compliance
Overview
Colorado has a new statute that creates clearer
liability for losing a customer’s personal information,
mandates the development
of a written policy
covering the destruction
of the information, and
establishes detailed procedures
of how to notify
customers in the event of a
security breach. In order
to comply with the statute,
all clients will need to develop
the required written
destruction policy and should analyze how they store and
destroy this information. To the extent this information
is transferred to third party vendors (like screening
companies and document preparation vendors), it would
be prudent to modify the contracts with those vendors to
get their warranty of compliance with this statute and an
indemnification for their violation of the statue.
The new statute (found at CRS 6-1-713 – effective
September 1, 2018), applies to all persons or entities
(including landlords) that collect certain personal
information. There is no exception for small businesses
or landlords. Any person that collects this information is
subject to the statue.
What’s Covered
In order to assess a company’s potential risk and what a
proper destruction policy might be, one has to look first
at the information covered by the statute. The list is as
follows:
ï¡social security number;
ï¡a personal identification number;
ï¡password;
ï¡pass code;
continued on page 2
DON’T BE CARELESS AND
LOSE IN THE NAME GAME
One of the most fundamental foundational principles
at THS is that “preventive law is kingâ€. The Firm
knows that better educated clients are less likely to get into
legal trouble. And, that is why we spend so much time
focusing on client education and information designed
to help our clients avoid potential legal problems. Or,
as Benjamin Franklin succinctly put it, “An ounce of prevention
is worth a pound of cureâ€.
Because minor details can end up causing major
unforeseen problems, we are calling your attention to the
important issue of compliance with the legal requirements
for community and owner legal entity names when filing
an Eviction Case with the Court.
Multi-Family Housing
providers need to pay more attention
to legal entity names and
apartment community names
used in their court filings. Legally,
names that are used by you
are required to be registered with
the Colorado Secretary of State.
Failure to comply with legal name
requirements can make your Eviction Case vulnerable to
dismissal resulting in increased attorney’s fees and costs.
This issue is NOW even more problematic with
Legal Aid in Denver becoming more involved in making
sure that every Eviction Case filed is in full compliance
with entity name registration requirements. Additionally,
tenants are also becoming more legally savvy because
of information on these types of issues that they find on
the Internet. So, we believe, when it comes to our clients
and their understanding of the issue of proper legal entity
name usage, that to be forewarned is to be forearmed.
We have written several comprehensive articles on
the subject of community and owner legal entity names
usage/legal requirements and we encourage all of our
clients to refresh their memory on this subject to avoid
problems regarding proper names usage in your lawsuits.
You can access this resource material by clicking here
(if you received this by email) or going to
(tinyurl.com/EntityName) on the Internet.
NEW COLORADO LAW CREATES STRICT LIABILITY
continued from page 1
ï¡an official state or government-issued driver’s
license or identification card number;
ï¡a government passport number;
ï¡biometric data (generally fingerprints, DNA
profiles, retina scans and similar biological
information);
ï¡an employer, student, or military identifica
tion number;
ï¡or a financial transaction device (credit card or
similar electronic fund transfer card).
For most landlords, social security numbers and copies of
government issued driver’s license or identification cards
and/or numbers would
be the primary data on
this list to be concerned
about. However, if the
landlord has a web-based
payment system or thirdparty
wire transfer system
like the Walk in Payment
Program (with account
numbers, passwords etc.)
there may be other covered information to consider. Student
housing providers and those receiving military orders
to verify military based lease terminations might end
up with still more of this information in their systems.
Project based subsidized housing providers, who
collect and maintain a host of information on sources of
income, employer verifications, immigration status for
the purpose of certifying the tenant’s eligibility for and
compliance with the subsidy program will have even more
of this information to manage.
Destruction Policy
The first step for compliance with the statute
is the development of a written destruction policy. The
statute only specifies two considerations that have to be
included in that policy, the timing of the destruction and
the method.
As to timing, the statute specifies the destruction
needs to occur when the information is “no longer
neededâ€. That element is certainly greatly open for interpretation,
but a case could be made that this information
remains “needed†at all times through and including the
final settlement of the tenant’s move out account (as the
landlord might want to have this information available for
the collection company).
A reasonable argument can also be made that this
information (like all other information and documentation)
is needed for the length of the various statutes of
limitation for potential legal causes of action held by its
customers. While most of the statutes of limitation that
apply to landlord/tenant situations are three years or less,
there are several that are six years. An industry standard
continued on page 3
PLEASE CHECK
THE
FILING CALENDAR
FREQENTLY
FOR
COURT CHANGES &
UPDATES
HOLIDAYS AFFECT THE CALENDAR
Landlord News SEPTEMBER 2018 Page 2
IMPORTANT THS SEPTEMBER DATES
September 3rd ALL COURTS CLOSED
LABOR DAY HOLIDAY
THS Closed
LABOR DAY HOLIDAY
September 5th WEBINAR DENVER CLIENTS
DENVER EVICTION CHANGES
FILING CHANGES***
9:00 a.m. – 10:00 a.m. Online
September 12th Evictions Workshop
THS Lower Conference Center
3600 S. Yosemite Street
Denver, CO
9:00 a.m. – Noon
September 13th Subsidized Evictions Boot Camp
THS Lower Conference Center
3600 S. Yosemite Street
Denver, CO
9:00 a.m. – Noon
September 19th WEBINAR WEDNESDAY
SUBJECT TBD
9:00 a.m. – 10:00 a.m. Online
September 21st Pre-Luncheon Advanced
Fair Housing Workshop
Dave & Busters
Westminster
8:30 a.m. – 11:30 p.m.
September 21st North Client Luncheon
Dave & Busters
Westminster
11:30 a.m. – 1:00 p.m.
September 24th DOUGLAS COUNTY COURTS
CLOSED
September 25th NO El PASO COURT
September 25th AASC Advanced Fair Housinng
545 E Pikes Peak Avenue
Suite 105
Colorado Springs, CO
1:00 p.m. – 4:00 p.m.
NEW COLORADO LAW CREATES STRICT LIABILITY
continued from page 2
has developed of keeping documentation for at least 7
years so that anything relevant to any claim brought might
be available. Based on this standard, reasonable arguments
can be made that destruction timing of 7 years after
the last business dealings with the tenant is doing no more
than keeping the documentation until it is “no longer
needed.â€
Regardless of the outside time limitation on
keeping the information, a prudent landlord might reasonably
choose to destroy this information more quickly
in order to eliminate the potential liability of losing the
information.
As to the method of
destruction, the statute
specifies “shredding,
erasing or otherwise
modifying the information
to make it unreadable
or indecipherable.â€
Shredding would seem
to be the obvious choice
for written documents.
Clients will have to get competent IT advice on proper
techniques for erasing or modifying electronic data.
While not specifically required to be in the Destruction
Policy, this statute requires the implementation
and maintenance of reasonable security procedures (discussed
below) to protect it from unauthorized access, use,
modification, disclosure, or destruction. The Destruction
Policy would be a convenient and prudent place to
recite what those reasonable security procedures might be.
Notification of Security Breaches
The statute also mandates a procedure of notification
in the event of a security breach. A security
breach is defined as the disclosure of the above personal
information in combination with the disclosure of the
tenant’s name. There is no requirement that procedures
for dealing with a security breach be in writing or even be
established in advance, only that notification (if and when
it should ever have to be given) complies with the statute.
Immediate first class mailing of the notice seems the most
cost effective and defensible system of notification.
The notice must include:
ï¡The date, estimated date, or estimated date
range of the security breach;
ï¡A description of the personal information that
was acquired or reasonably believed to have
been acquired;
ï¡Information that the resident can use to
contact
ï¡The toll-free numbers, addresses, and websites
for consumer reporting agencies;

ï¡ The toll-free number, address, and website for
the federal trade commission; and
ï¡ A statement that the resident can obtain information
from the federal trade commission and the
credit reporting agencies about fraud alerts and
security freezes.
Security Measures
The statute requires anyone possessing this information
to “implement and maintain reasonable security
procedures and the
practices that are
appropriate to
the nature of the
personal identifying
information and the
nature and size of
the business and its
operations.†Beyond
this it gives no
guidance as to what a prudent security measure might be.
However, it offers a couple of hints.
By defining a security breach as the loss of not
only the personal identifying information but also the
name of the party to go with it, one can eliminate the
possibility of a security breach by making sure the tenant’s
name does not appear in the same database or document
as the various identification numbers. One can envision
a document or database that list information like social
security numbers, passwords, drivers license numbers etc.
by a random customer number. One would have to reference
to a different database or different document to see
who the personal information applies to. Additionally,
the statute defines a security breach as the “unauthorizedâ€
release of information. Therefore, a landlord can improve
their position for the release of any information by
getting the tenant’s advance authorization for that release.
While security measures are beyond the scope of
what lawyers have any particular expertise in, it occurs
to us that having this information kept on a computer
with the internet connectivity creates a risk. Keeping this
information in the normal tenant file that is routinely accessed
in non-secure environments also creates a risk.
Liability
Arguably causes of action based on negligence theories,
breach of contract and breach of implied or express warranties
already exist for the loss of this type of confidential
information. At first read, one might not think liability
had changed much and the only new issues are the required
Destruction Policy and notification procedures.
However, the statute provides that the person that
loses the information is liable for all damages without a
finding of any specific wrongdoing. Therefore, the statute
creates strict liability for a landlord for a security breach
and will, therefore, make pursuing a cause of action
continued on page 4
Landlord News SEPTEMBER 2018 Page 3
NEW COLORADO LAW CREATES STRICT LIABILITY
continued from page 3
following a security breach much easier. The good news is
that the statute does not include a mandatory or minimum
penalty. These types of penalties create financial
obligations to people even when they have not suffered
any specific loss. Consequently, these types of penalties
are key ingredients to putting together a successful classaction
lawsuit. Without a prescribed minimum penalty,
one can anticipate significantly less litigation over the
statutory requirements.
Vendor Contracts
The statute creates an obligation to make sure that, if
any of this
information
is voluntarily
transferred
to a third
party, the
recipient of
the information
comply
with statutory
requirements. This personal information might routinely
be transferred to outside screening companies,
various vendors who provide services like lease preparation
and even to a new management company in the event
of a ownership or management changes. These contracts
should prudently include a clause whereby the transferee
guarantees that they will comply with the requirements
of the statute and will indemnify and hold the landlord
harmless for any failure to comply with the statute or any
security breach as defined by the act. Example language is:
Vendor represents and warrants that it will fully
comply with the requirements of C.R.S. 6-1-713
(regarding information destruction and security
breaches) and hereby indemnifies and shall hold
customer harmless from any and all liability as
sociated a violation of the statute and any security
breach thereunder.
JJJJJJJJJJJ
Landlord News SEPTEMBER 2018 Page 4
Think About It!
A person who
feels
appreciated
will always
do more than
what is expected