CO HB1140

Requires state entities to notify individuals when a security incident compromises personal or financial identifying information due to state error or inadequate security protections.

Notification must include the date and nature of the incident, confirmation that security may have been compromised, and contact information for the state entity.

State entities must contract with identity theft protection services to provide one year of free protection coverage for affected individuals.

Chief Information Officer of the Office of Information Technology must promulgate rules for executive branch departments; non-executive entities may adopt these rules or establish their own.

Act takes effect August 6, 2014, unless subject to referendum petition, in which case it requires voter approval at the November 2014 general election.