Colorado: Senate Bill 18-086 — Concerning the Use of Cyber Coding Cryptology For State Records


The State of Colorado enacted Senate Bill 18-086 (‘Bill’) on May 30, 2018. The Bill will require the:

  1. Chief Information Security officer in the governor’s office of information technology (OIT),
  2. Director of OIT,
  3. Department of state, and
  4. Executive Director of the department of regulatory agencies to consider adopting distributed ledger technologies to address cyber threats to state government data systems.

In 2017, the cyber threat to the Colorado government included six to eight million attempted attacks per day.

Under Section 1, 2, 5 and 6 of the Bill:

  1. The Chief Information security officer is required to:
  • Identify, assess, and mitigate cyber threats to state government;
  • Annually collect information from all public agencies to assess the nature of threats to data systems and the potential risks and civil liabilities from the theft or inadvertent release of such information;
  • Coordinate and partner with specified agencies, boards, and councils, annually assessing the data systems of each public agency for the benefits and costs of adopting and applying distributed ledger technologies such as blockchains;
  • Develop and maintain a series of metrics to identify, assess, and monitor each public agency data system for its platform descriptions, vulnerabilities, risks, liabilities, appropriate employee access control, and the benefits and costs of adopting encryption and distributed ledger technologies.

2. The Director of OIT is required to consider:

  • The annual metrics from the office of the chief information security officer to recommend programs, contracts, and upgrades of data systems that have good cost-benefit potential or return on investment.
  • Developing along with the office of the chief information security officer public-private partnerships and contracts to allow capitalisation of encryption technologies while protecting intellectual property rights.

3. The Department of State is required to consider:

  • Research, development, and implementation for encryption and data integrity techniques, including distributed ledger technologies such as blockchains.
  • Using of distributed ledger technologies when accepting business licensing records and when distributing department of state data to other departments and agencies.

4. The Executive Director of the department of regulatory agencies or the director’s designee is required to consider:

  • Secure encryption methods, including distributed ledger technologies, to protect against falsification, create visibility to identify external hacking threats, and to improve internal data security.

Section 4 of the Bill requires the department of higher education to allocate money to institutions of higher education participating in cybersecurity and distributed ledger technology activities, and participating institutions of higher education to allocate percentages of that money to provide scholarships to students doing work in connection with cybersecurity and distributed ledger technology.

Section 1(6)(a)-(b) of the Bill prohibits a county or municipal government from imposing a tax or fee on the use of distributed ledger technologies by any private person or entity, or from requiring any private person or entity to obtain a certificate, license, or permit to use distributed ledger technologies.

Section 8 of the Bill allocates $250,000 to the office of the governor for use by the office of information technology and  $10,200,000 to the department of higher education for the 2018-19 state fiscal year.

Finally, Section 3 of the Bill specifies that the University of Colorado at Colorado Springs and any nonprofit organisation with which the university has a partnership may consider:

  • Encouraging coordination with the United States Department of Commerce and the national institute of standards and technologies to develop the capability to act as a Colorado in-state center of excellence on cybersecurity advice and national institute of standards and technologies standards;
  • Studying efforts to protect privacy of personal identifying information maintained within distributed ledger programs, ensuring that programs make all attempts to follow best practices for privacy, and providing advice to all program stakeholders on the requirement to maintain privacy in accordance with required regulatory bodies and governing standards; and
  • Encouraging the use of distributed ledger technologies, such as blockchains, within their proposed curricula for public sector education.

Flavio Cultrera