April 27, 2026 · State, Civic, Military, & Veterans Affairs · 45,625 words · 11 speakers · 65 segments
ideas that we had coming into the session that we were working on independently. The speaker had a piece. I had stuff for the judicial security piece, and then we've gotten some information here for other stuff that was being worked on by the majority leader. So we have combined all of those efforts into one bill since they all had this similar nexus. So there's a few moving parts, and I'm going to go through all of them really quickly to kind of give you a sense of what we're doing. So the first section of the bill deals with creating a position for the General Assembly that will work in conjunction with both chambers, the Senate and the House, and that person will be responsible for the day in and day out view of what it looks like for a member security, if you will. This includes a few things that we don't currently do, And that is somebody that is on the floor with us routinely, understands the legislation that is going through the building, is paying attention to things as that nature, so that they're better informed when you come and let them know that you're having a town hall or being able to work with the state patrol or other information sources to determine if security might be needed for official events outside of the building, such as when you are having a town hall and you know that some large group is coming or something like that. Most of this is forward thinking. A lot of this came from our realizations about kind of being asleep at the wheel, if you will, about our own security after the Melissa Hortman incident. As you all know as well, I never saw this personally, but it was printed in the post, so I'm assuming that they verified that we did have a member of our General Assembly that was on the list for Melissa Hortman, and I think that some of that was an eye-opening experience for us. I want to start off by saying that there's nothing that we're looking at here that we're dissatisfied. I know that Colorado State Patrol is statutorily responsible for our protection. They are statutorily responsible for patrolling this building and the complex and their safety. At no point in time has there been a dissatisfaction with any of that service. What this is is something that is a bit more in the middle, if you will. somebody that works for the General Assembly, is hired by the Executive Council, that functions in a capacity that is responsible to this branch of government. And where we got the idea for that was we just did this. I actually ran a bill for the judicial branch and created basically the same position across the street. And we called that the Administrator of Judicial Security. and that process and that position has worked very, very well according to judicial. They're pleased with it. In fact, because they have such a large responsibility with all of the courthouses around the state, they've actually added a couple more people in that role. I don't anticipate that we will ever need that. I think paying attention to member security, I assert this will likely always be a one-person position. That's how I envision it now, but we are writing law, and many of the laws that I'm dealing with today in this bill have been on the books since the 60s And I assert that what we leave here will also live for many many years So I trying to look forward to what we think might be important for some future iteration of a General Assembly So the language is written much the same. So we're dealing with that position. they will become the liaison for us and interpret legislative speak into cop speak, hopefully, as they're engaged with the Colorado State Patrol. There is some shalls in here that they shall coordinate, given that Colorado State Patrol is still fully responsible for the actual policing function of everything about this building and our security. This person really is more of a tool to make sure that that goes smoothly and also that you're not dealing with state patrol on policy positions, on their bills or other executive bills that they may be representing, while also dealing with them directly about your security. We'll have somebody that is responsible for that. And I can tell you the speaker and the majority leader have also expressed that their discomfort, that when there is a security issue, that they're left to have to make the determination about what is next sometimes with state patrol because they currently serve that function, the speaker and the minority leader, speaker, majority leader. Same thing in the Senate with the president. We will have somebody that that is their job and the executive council will set what their responsibility is and how they are to handle those things and how we are to engage with them and make those rules. And we're working on a whole set of policy papers that will go into hiring this position that are not what we're putting in law, but this law fits that. We do have in this that this person may be post-certified. There's not necessarily a nexus that we have this person be cop or cop-like. However, across the street, they did hire somebody that came from a sheriff's department, and that position is working very well. So she is able to provide security for the justices when they're out and about, when she's with them, et cetera. So she's not restricted in any way from doing such a thing, but it's not really part of her day-to-day function. And if you saw her out and about, you would never know that she's a police officer. Other nature for that is there are 21 other sections in 16.2.5 that use very similar language to how we identify maybe post-certified. And what you will see on most of those is people that are in director positions or people that are in an administrative function like this would be. There's a couple of reasons why we would do that. one we may need them to be at some point in time, even if we're not anticipating them to have a core function of policing. It is predictable that the type of people that would apply for this type of position might come from law enforcement. Just last year, the Department of Public Safety came to me in another bill and said, you know, sometimes we have positions that are non-sworn positions. Can you help us make sure that if we put a sworn person in one of those non-sworn positions that we can maintain their training and we can keep their post certification? For those of you that do not know, if you serve outside of law enforcement for more than 36 months, you have to go back through training or have to go back through a process in order to get your post reactivated. We don't want to create a situation for that for anybody that may take this position. And while we don't really have any grandiose ideas that what we're trying to create here is like a capital police force or anything like that we do recognize that this position will likely be trained in that vein or could come from that world I sort of envision not that I know who the executive committee would ever hire for something like this but probably somebody that is retired or has some serious experience in this area. I hope that they have a solid professional that is making these determinations. So that's kind of the nux and crux of creating a position. There is a fiscal note that you got today. We've determined that they use some inaccurate data and Josh is here and will explain that. They will fix that later today. This is kind of short notice. The thing that you should know about that is the FTE or position for the General Assembly has already been identified and dealt with in our budget process. We anticipated that this will pass. So that is something that they will make that appropriation when appropriate. but we won't be finding new funds to do this. This is something that we had already addressed. Beyond that position, we are expanding a few things just administratively. It doesn't change anything at all. It actually just maintains exactly what we're doing today, but there's a few areas of law where we're making sure that the Colorado State Patrol has original jurisdiction over the Capitol Buildings Complex. We're redefining that to call it the Capitol Buildings Complex. You'll see at one place it mentions the governor's mansion, and it's the same thing, that they have original jurisdiction. It doesn't change anything, but the city and county of Denver also does, but it just gives a nod in law that they have that as officially in statute as part of their responsibility as original jurisdiction. The next things that we deal with in statute here are related to forms that you file that might have your personal identification information. So personal financial disclosures, some of your tracer forms, et cetera. fascinatingly because I was a police officer when I got elected to the General Assembly I was already covered under a provision of law that lets me take my house records offline and redact all of my private information so even when I ran etc none of that information became publicly available it was a surprise to me that other members or elected officials didn't have the same ability to have that protected status You're going to see quite a bit of language in here that deals with that in kind of a wide squath. If you are an elected official or if you're in a public position or you've been appointed to the General Assembly, et cetera, it gives you coverage to make sure that that stuff can be redacted. There will be an amendment today that fixes one thing. In the bill, there was a strikethrough language that said that the personal financial disclosures would no longer be posted online. That was a mistake. We are correcting that today so that they will still be online. and we're directing the Secretary of State that personally identifying information that shows up in those forms will be redacted, or they can adjust the form so that it doesn't display that information however they see fit, but that will still be online. I am also in conversation with the Press Association about something else that they've identified currently that we may do some other tweaking on SECETS, But we're going to continue to work on those issues to make sure that there is a delicate balance so that we're not taking anything out of public view other than those things that can actually have someone show up at your house. And that's really kind of where we're drawing that line. The next area of the bill we get into a lot of stuff about the judicial branch So one of the things that happened when we created this position a similar position to what we doing for the General Assembly now is they started doing a number of assessments about their security and they learned a lot of new things And they have now suggested that they need to have a task force that includes the sheriffs that are also responsible for protecting these courthouses to go and do a deeper dive needs assessment and kind of like come up with a working plan for how to address both things that might be one court day a month in Los Animas County versus all the way up here in the city and county of Denver that has a very busy court system and how they balance all of those things. One of the things that we've had for a number of years is called the Court Security Cash Fund. The majority of the pages in this bill take the Court Security Cash Fund, and they move that into a special purpose authority. There's a few reasons that we're doing that. One of them is so that this is no longer a cash fund. A cash fund is something that is subject to the whims of the General Assembly, despite this being fed by a number of fees that are related specifically to these types of things. What that has caused in the past is we have had, and not so distant future, at least one occasion in which the funds in that cash form were swept. That makes it almost impossible long term to do capital planning projects or things other than like annual overtime. So they have kind of been on a single annual basis on how they have been using that money. It's obvious that we're going to have to increase that at some point in time, and we're working through what that looks like. But more importantly, right now, we're making sure that this SPA is specifically long-term earmarks for court and court security. And I also want to caution you, just because it's in the bill, it is specifically only for courts. There's nothing about this cash fund that now bleeds over into the legislative function of this bill or starts to pay any of our security expenses. There's no nexus to the two. This is all still doing exactly what it's been doing. but also shores that up so that it's under a functioning board that is making the determinations for how those funds are used long term. There's a lot of other little tidbits throughout the bill that deal with things like that, but most of this bill are taking all the individual fines and fees that feed that thing and making sure that that is moved appropriately. Hold on, I'm forgetting something that we did in here. Oh, we finally defined sergeant at arms. Those have been listed in statute for many, many years as chief security officers of the General Assembly, and we're now giving them their own words. So we're just changing the words for that in statute so that the sergeant at arms are, recognized appropriately for where they are. There's nothing that's changing about their position. They still report to the clerk. There's nothing about this new position that impacts them other than the clerk may ask this other new person to be involved with them in some way to help them get training or something. But there's no necessary, there's nothing that we've outlined at this point other than if the clerk so chooses to use this new position as a resource, then they have that authority to do so. Also, if you were looking at an org chart where the new position that we created, they were We'll sit parallel to the clerks, if you will, on the kind of the legislative staff. Let me see what else I'm forgetting. I got a little flustered by all the lobbying efforts on another bill we're going to hear today. So I'm thinking through things as we go. Did you all notice that? You all had some of the same things. You didn't have any lobbying? I'm looking at all the headers. Give me just another moment. I'll tell you what, I'll leave it there and let you ask questions. If I remember, I'll bring it back. I know that many of us have had the opportunity to talk about this briefly. You may have gotten your questions answered. I welcome anything that you have.
Thank you very much, Vice Chair Clifford.
Members, what questions do you have? Representative Espinoza and then Luck, did I see your hand up? Okay.
Go ahead, Representative Espinoza. Thank you, Madam Chair. I just want some clarification on page 7 of the bill, if you want to go there, and I think this is in a couple of other locations as well. And you've described briefly the distinction between, well, You haven't described for me sufficiently the distinction between the statutory language says the administrator of legislative safety's duties pursuant to subsection 2A of this section is a peace officer. And then there's something that then you talk about who may be certified by the post board. Can you describe the difference between being designated a peace officer and not having post certification? or it seems to me that just felt contradictory.
I'm going to grab 16, Title 16, really quick. There are... A couple dozen different positions-ish in 16.2.5 that we designate as peace officers. Many of them are, it's actually more than that, many of them are designated as peace officers while in performance of their duties. One of the things that we deal with more often than not is whether or not that position requires it to be a police officer or post-certified. So, you know, the Southern Indian police officers, the different Indian police, we say that they may. That's up to them. The fire arson investigators, we say, may be post-certified. The director of the Department of Homeland Security and Emergency Management is not a police officer, but he is a peace officer and may be post-certified. So the importance for me in that particular endeavor is that without that language, it limits the pool of people who might be able to apply for that position. So while they're in the performance of their duties, we would expect them to have the powers of peace officers, the same as the sergeants do now. They're peace officers while in performance of their duties. We're not sending them to specific training, et cetera, but that is how they are listed in law as are many other positions through 16 2 things like the executive director of the Department of Revenue or the director of the division in gaming the gaming investigators the state lottery investigators. Those may be post-certified. We don't necessarily hire post-certified peace officers for those positions, so there's not a necessity that we do so. But if you have someone that is, they may, and they may maintain that training and they may continue to be post-certified.
Representative Espinoza, follow-up. I guess the follow-up I have to that is it seems to me that the definition doesn't encompass the example that you're giving. That is, the fact that we're designating them as peace officers, I think you're saying they don't have to be post-certified to be called a peace officer. Many positions in the state are labeled as peace officers without being post-certified. So that's the first point. But then secondarily, the concern that I heard you raise and that I agree that we want to avoid is that those individuals, if they are post-certified, would be able to maintain that post-certification while serving in this position. And I'm not sure that the fact that you were saying that they may be post-certified qualifies them to stay certified under post-certification. And so I'd want to tighten that language if we could just to make sure that we don't have an apple and a cart and a horse before the cart kind of a situation.
Vice Chair Clifford. Thank you, Madam Chair. The language is consistent with 21 other areas of law in 16.2.5. I have them highlighted here if you'd like to look at them. But we copied and pasted specifically the language for how we format when we designate a peace officer. So that is the last words in many of these, and we were careful to make sure that we defined it the same.
Representative Espinoza. So just the final clarification, in all those other sections, when you designate them that way, that indicates that they get to maintain their post-board certification?
Vice Chair Clifford. They are allowed to do that, yes. And same thing with the position across the street. We're having no problems with them maintaining their Rule 28. their training, et cetera, et cetera, et cetera. That is absolutely the case.
Representative Locke. Thank you, Madam Chair. I do have a few questions, so I guess we'll just take one at a time and go through. The first section, I just want to make sure, starting from the back, pages 59 and 60, We're talking about SSB. We're talking about the Commissioner of Ag. All of that is just conforming amendments because we're renaming the complex. Is that accurate?
Correct.
Wonderful. Thank you.
Madam Chair, may I just dialogue?
Yeah, keep it tight.
Thank you.
Thanks.
Okay.
The next question that I have is on page 54. It looks like we're creating a new filing fee for folks engaged in the court process that they have to pay $10 as a court security surcharge. Am I reading that right?
We're dialoguing.
You're dialing. Oh, yeah, that's right.
So there are a few things about the fees that they're moving around. So you'll notice many of the fees are reduced. Some of that is based on where the fee came from or how it was being used in law already. And there are basically when they were going through correcting these fees, you called it conforming amendments. That's precisely what's happening here. I don't know if Terry Scanlon himself is testifying today, but they have been deep in the weeds on this particular piece for months and months and months. Will you answer those questions when you come up When you get into what happening in these fees that is something that I have seen changes go back and forth on a number of times so I would like to where it landed and all the work that went into making sure that those are all accurate to be answered by the department. Wonderful.
Then I guess I will just limit the rest of my questions to section 17 related to personal information on the internet. Starting on page 33 going through page 35 and beyond. But I'm interested for a couple of reasons. One, I note that under this new language, an elected official will continue to be covered up to four years after leaving office. But a judicial employee, which is anyone who's worked for the judicial department, they continue to be covered by this indefinitely. It doesn't matter. So I'd love to understand why the distinction there between a bailiff and a former governor, why you wouldn't have the elected official also be covered indefinitely. What was connected there?
We're in dialogue. Thank you. Most of that is related to like looking at trying to prescribe the least, if you will. When you're dealing with people in the judicial system, much like police officers, that is also lifetime. You know, if you take a police officer that has arrested a number of people, the people that are getting out of prison later about, you know, want to find the judge or the prosecutor or the probation officer or the yada, yada, yada, if you will. Far greater likelihood that those people are targeted in those particular ways. And we, when we were looking at this, we were trying to do the least, and we did not think that that was the case for elected officials.
Thank you. I know under personal information, there's some things being added, which makes sense to me. For those who don't have the bill, personal information includes home address, telephone number, mobile number, page number. Which pager? That's a fun flashback. personal email address, social security number, driver's license, federal tax identification number, bank account, credit card numbers. But what I'm focusing in on is a personal photograph. Personal photograph. Do what? It's existing law. Yes, I know. But then when we look at
protected person, we're now adding in elected officials. And a number of us take pictures with people and those people then post them on their social media and what have you.
And I just want to clarify, when we talk about not publishing that personal information, what you as the bill sponsor are intending for that to look like in practice. I mean, it makes sense to me that if anyone is out there posting our social security numbers, that's a concern. But when we get into a personal photograph, that in light of where we're at is kind of a gray area. So I'm just wondering if you can explain how what your bill does impacts on First Amendment considerations.
I didn't really address it beyond what is existing law. We just – it does still stay pager and it does still say personal photograph. We didn't engage or modify that other than to say when you're looking for what needs to be redacted, that's what you're looking for. I don think that it I think when you talking about something like the Secretary of State is going to post if they going to put a picture of you they will get that picture from you or get it from a public source et cetera I don know that we I not changing anything about current law about how that has been defined
I understand you're not changing anything about how the personal photograph is being defined, but you are adding into a protected person category elected officials whose personal photographs are posted a lot. and you know again it's a it's a distinction between all the other personal information somebody is out there posting our home addresses or social security numbers or credit card numbers that in and of itself i can see we don't want that happening and we're saying no but when you're talking about a personal photograph may gain them a class one misdemeanor if they post it in the wrong context at the wrong time of us as elected officials it seems to be a little bit concerning
to me. I don't disagree with you. We didn't address it because we did just expand the protected persons and I can recognize that those are there. Undercover employees for police departments obviously would not want their pictures posted, etc. So I think that that is probably the nexus of why that exists. I could not imagine a situation where that would be someone would be charged and convicted of a class one misdemeanor for posting a picture of me. So there is still, there has to be a charging component, but I think that if they did something inappropriate, the charge would be there. It doesn't occur to me like something that needs to be fixed, but I do see your dilemma here, and I wouldn't be opposed to saying that you could exempt the elected officials from that one provision, but I also don't think that you're going to find a prosecutor that's going to prosecute someone for a level one misdemeanor for snapping a picture of me in this building.
All right, we're going to move on. Representative Espinoza.
Thank you, Madam Chair. I did have just one more question. On page five, when we're talking about the new security person, we also indicated in the bill that they may hire additional staff, but I don't see anything either in the fiscal note or in reference to the additional staff needing to be with funds available or how that funding would happen. I just wanted some clarification of that because I do think we're leaving it wide open that they can hire people, a person or persons, to support that function, and we are only budgeting for the one security new position.
Vice Chair Clifford. The executive committee may hire, so the executive committee would always have to deal with the legislative budget if they were to expand or to add more people. So this position does not get to hire on its own. That is not the purpose of that.
Did you have a follow-up? I did because I didn't think that's what it said. I think it said the individual who we hire, the executive committee hires, would be the person hiring the additional personnel.
What line are you on, Representative?
Yeah.
Page 5, line 16. Administrator of legislative safety is paid a salary determined by the executive committee. The administrative legislative safety shall be appointed without reference to affiliation and solely basis. With approval of the executive committee may appoint additional personnel. So that is clear that the executive committee is the nexus for that and that always will have a budgetary approval.
Thank you.
Okay. Any further questions? All right. Seeing none, Vice Chair Clifford, I know that you do have one individual that is here and perhaps may have some time constraints.
Yes.
Did you want to hear from the individuals?
the support position and then amend, or do you want to hear amend and then support?
Let's do support and then amend. Okay, wonderful. Then we will go ahead and call up Chief Justice Marquez, welcome to State Affairs, and then Sarah Gonski and Dean Goldberry. And if there's anybody else in the room today that wishes to provide testimony in support of the bill, please come forward. Welcome Mr. Scanlon. We'll pass a sheet down. Oh, wonderful. Okay, it looks like you were able to sign up. Okay. Chief Justice, would you like to take it away?
Thank you, Chair Rolfo, and thank you, Vice Chair Clifford, for introducing this bill. I'm Monica Marcus. I am the Chief Justice of the Colorado Supreme Court. I've served on the court for 15 years, and I've been serving as chief since 2024. The Judicial Department supports House Bill 26-14-22. Our focus today is primarily those sections of the bill that relate directly to judicial, so sections 9 through 17 of the bill. I'm not here to offer comments on other provisions in the bill, but I'll focus my comments there, because those are the provisions that directly affect the judicial department, including our judicial officers and our court staff and probation staff. So this bill, I'm excited to see it because it addresses one of the greatest challenges that are facing our courts today, and that is security. Our courts exist to resolve disputes peacefully, and our system has to be able to do that in all 64 counties. Ensuring that we have safe and secure courthouses is fundamental to a fair and impartial justice system. In my travels around the state as Chief Justice over the last 18 months, and I visited all 23 of our judicial districts, Security has emerged as a top concern, regardless of location, whether we're rural, urban, front range, San Luis Valley, Eastern Plains, Western Slope. You've probably all read news stories about the uptick in threats against judicial officers. I don't need to fill you in on those kinds of details. I wasn't surprised to hear concerns from judicial officers in my travels around the state. The part that concerned me and I was not really aware of was how security impacts our court staff and our probation staff. And, of course, the attorneys, litigants in public that visit our courthouses every day. Across the state, I saw aging court facilities with glaring safety and security vulnerabilities, unsecured parking lots where judges and court staff can often encounter disgruntled litigants, broken elevators, buildings that lack sufficient emergency exits, non-existent or inadequate emergency notification systems, and unsecured entrances and shared county office slash court facilities. Just to put some color to this, in the past couple years of Lone, we've had a shooting just outside the El Paso County Courthouse that was witnessed by staff and the public. We had a suicide at Lindsey Flanagan here in Denver, where a defendant threw himself off the fifth floor balcony into a security area right in the public atrium. We had a bomb threat at the Alamosa courthouse that required a building evacuation. Those are just three of multiple examples over the last several years, and there have been many more. All of these incidents have traumatized our court staff. Our probation staff is affected as well. Our probation officers meet one-on-one with criminal defendants or criminal convicts who are working to get their lives back on track Our probation officers who are unarmed are often these days working in off probation security facilities without adequate security. These clients are coming from an increasingly complex criminal history background. Many of them have addiction issues. I probably receive quarterly emails from our chief judges telling me situations where probation officers have literally saved the lives of some of these probation clients from overdose deaths by administering Narcan. So these are challenging situations in which our probation staff often work. And then my concern, of course, extends to the public that come to our courthouses every day. A few months ago in the 18th Judicial District, which is Arapaho, all on the same day, we had a public defender who had a car stolen from the parking lot. There was a report of a gun in the courtroom, and a family member of a victim attacked a 69-year-old defense lawyer in the hallway, sending him to the hospital with serious injuries. So the bottom line is my deepest nightmare, honestly, as Chief Justice, is that I'm going to lose a judicial officer or an employee or a member of the public who is visiting our courthouses, and I will lose them to violence at some time on my watch. I know that chief judges around the state worry about this as well, and I'm trying to be proactive about this concern, which has permeated every jurisdiction in our state. So for all these reasons, we support the bill. The provisions of this bill will help address these issues. The task force that is listed in Section 15 of the bill is a top priority of mine as Chief Justice. Our chief judges around the state are already working on this issue to develop security plans pursuant to their chief judge responsibilities under Chief Justice Directive 9501. But this task force will enable us to coordinate this work statewide. The JBC authorized some cash fund spending authority to hire a security analyst to help me get this thing launched. But I want to emphasize that this is a complex undertaking. Our counties have obviously varying resources, and this effort is going to require a very thoughtful partnership and coordination with local law enforcement and county commissioners across the state. I look forward to working with the task force to develop these recommendations. We're very excited to get this task force up and running. Personally committed to this effort, I plan to lead it. And I'm also grateful, in addition to the task force provisions, those provisions in the bill that seek to protect our employees from retaliation, that's in Section 16, and that protect our judges' employees from the posting of personal information on the Internet in Section 17. All of these are important and meaningful provisions. And I realize I thank you for indulging me. I realize I've run over time and I'm happy to answer any questions.
Thank you very much, Chief Justice Marquez. And members, I probably should announce this on the front end, but I was going to offer Chief Justice Marquez time to be able to share her remarks with us because it's not often that we have this opportunity to dialogue with you in such a way. So to everybody else who's going to be testifying on this bill, I will be a stickler for three minutes. I'm not sorry. and and with that would you like to begin
Madam Chair thank you Tyler Brown Sheriff of Arapahoe County I think I banked some time from last time I spoke in front of you guys so you were pretty brief good afternoon I come before you today in strong support of creating a new special purpose authority fund dedicated to courthouse security across the state of Colorado Our courthouses are more than just buildings They are where justice is carried out where disputes are resolved peacefully and where the rule of law stands firm They are visible promise to our community that fairness, accountability, and due process is not just ideals, but realities we uphold every single day. But that promise only holds if the people inside those buildings feel safe. Across our nation and here in Colorado, we are seeing a troubling rise in extremism, threats, and targeted acts of violence against public institutions. Courthouses, by their very nature, have become focal points. They handle emotionally charged cases, high-profile decisions, and issues that can ignite strong and sometimes dangerous reactions. Our judges, clerks, deputies, and courthouse staff show up every day committed to serving justice. They should not have to wonder if their workplace is secure. They should not have to look over their shoulder for simply doing their job. This is not a theoretical concern. It is a very real and evolving threat environment. That's why the Special Purpose Authority Fund is not just a good idea. It's a necessary one. The fund would provide the resources needed to strengthen security infrastructures, enhance training, support personnel, and modernize the protective measures that safeguard our courthouses. It allows us to be proactive rather than reactive to identify vulnerabilities before they are exploited. During my time serving on the Court Security Cash Fund Board, we haven't been able to fund many of the requests that come to us from across the state, mostly rural parts of the state. And we haven't had the ability to be forward-thinking and get ahead of these situations. Because when it comes to protecting the rule of law, good enough is not good enough. we must ensure every courthouse whether in large urban centers or rural communities has the ability to protect those who work there and those who seek justice within those walls this is about more than physical safety is about preserving public trust when people walk into the courthouse they should feel confident not concerned they should see a system that is strong secure and unwavering if we fail to provide that sense of safety then we risk eroding the foundation of our justice system. Let me be clear, supporting courthouse security is not about fear, it's about responsibility. Responsibility is also relying on collaborative and trusted partnerships. We have worked through over the past decades to ensure that all of our buildings that engage in executive, legislative, and judicial functions are safe. It is about recognizing the reality of today's world and taking measured, thoughtful actions to meet those challenges ahead. It is about standing behind the men and women who uphold our laws and ensure that they have the tools they need to do it safely. The partnership between the chief justice and sheriffs and chief judges across the state will be paramount. And ultimately, it's about protecting democracy itself. Thank you, Sheriff Brown, and I
appreciate your effort to reclaim your previous time. I support a strong vote, yes. Thank you. Mr. Scanlon, were you here just for questions only, or did you also want to provide testimony?
I'm here for questions only primarily to answer the question from Representative Luck.
Okay, perfect. We will go ahead and start with questions. Representative Luck, did you want to direct your question?
Thank you, Madam Chair. And, yeah, if you wouldn't mind, it's good to see you. It's been a long time since I've seen you in a committee hearing, probably because I'm not on Judiciary anymore. Anyways, I would love to understand the fee structure. I also very much like to understand why we creating a new independent authority instead of just having an entity that subsumed under the judicial department that you all have direct control over And so if you could answer any of that I appreciate it Mr Scanlon
Thank you, Madam Chair, members of the committee. My name is Terry Scanlon. I'm the legislative liaison for Colorado Courts. Representative Luck, I just whispered to the bill drafter a minute ago, if you want to go through the sections of the bill on the fees, I'll need her help. But in broad terms, there's a current court security cash fund commission. It is funded by a $5 fee on the filing for most cases. The money goes to this cash fund commission, which receives applications from counties, mostly smaller population counties. The money goes mostly to smaller population counties and counties with a low tax base or a high rate of poverty. the grants are designed to provide equipment and support staff at the front doors well more broadly than the front doors but to provide security at the buildings this bill reduces the five dollar fee for that current court security cash fund commission so you'll see some reductions and creates a ten dollar fee so there's a five dollar increase for the court security authority and the court security authority has moved outside of the judicial department. The cash fund commission is currently managed by our staff. It'll be moved outside of the judicial department in order to have the capacity to increase fees
under the current budget structure that we have. Did you have a follow-up? Go ahead, Representative Luck. Thank you, Madam Chair. Are you speaking of TABOR restrictions? Mr. Scanlon Madam Chair, Representative Luck yes, I'm trying to yes we we would in an ideal world we'd be able to maintain the existing structure we can't get more revenue for the existing structure we can get more the state can generate more funds to provide support for locals, mostly rural communities if we make this change by creating a special purpose authority. Thank you. Any other questions? Representative Furey and then Bradley and then Carter. Thank you, Madam Chair, and to the Chief Justice, thank you for your leadership in coming today. One of the questions I had was, do you think that it should, in your stakeholdering and in your engagement across the state, have you noticed some of the security threats extend to members of family, or was the concerns mostly the staff and the actual judges, or did it expand to the families? Chief Justice Marquez. Thank you, Madam Chair, and thank you, Representative Ferret. Ferret, pardon me. I appreciate the question. So in terms of family members, largely these are family members of judicial officers that can also be targeted with threats. So if a judicial officer is the main target of a threat, Sometimes we've seen situations where spouses, children, siblings, and so on have become swept up in that. Representative Bradley. Thank you, Madam Chair. Chief Justice Marquez, thank you for being here, and thank you for your synopsis. Task force, I feel like, takes so much time. Is there not a more immediate way to start with the most, the courthouses that need the most safety concerns that need help more immediately? Is there no way to get them help before we try to go through this whole situation? task force implementation. Chief Justice Marquez. Thank you, Madam Chair. Thank you, Representative Bradley. So there's a lot of work that's already underway. Chief Justice Directive 9501, which outlines responsibilities for all chief judges statewide. We recently completely overhauled that, and one new component of that is to require all chief judges to be developing these local security committees already. So we've got planning underway at a local level. what this task force will allow us to do is to coordinate those efforts statewide. So there's much that is happening on the ground as we speak. I think we're trying to get our arms around greatest needs. Some of those are training needs. Some of those are physical security needs. Some of those are policy changes. Some of those might be potential statutory tweaks. And one of the nice things about this bill is there are a handful of statutory examples examples of low-hanging fruit, if you will, that I think the task force would have wanted to pursue anyway, and they're already incorporated into this bill. So the personally identifying information piece, the expansion of protection to judicial staff for the retaliation, the Title 18 provision around retaliation, are already folded into this bill. So this actually gets us a step forward. Thank you. Representative Carter. Thank you, man. Chair, what I will indicate is I was at the Arapahoe County Courthouse the day one of my good friends was attacked viciously. He was, I consider him the dean of the criminal defense attorneys in that building. Comedically or ironically, his son is also a district attorney as opposed to a criminal defense attorney. What I will say is in my 20 years of practicing law, I've never felt uncomfortable. But I will say that there's definitely been a new tenor in the air when it comes to individuals and their showing their disrespect or their dislike. It's not just the criminal defense attorneys. It is the judges. It is the district attorneys. There is a witness. There is a tenor in the air that should be noted. And I appreciate that this is coming forward. That is my sheriff. I've always felt comfortable and protected inside the Arapahoe County Justice Center. But like I said, the dean of my small band of criminal defense attorneys was attacked viciously, literally outside of a courtroom. And so I appreciate and thank both Chief Justice and my sheriff for their thoughts, and I appreciate you coming and explaining to us what's going on. Thank you for that question. Just kidding. I'm just kidding. It was all valid. Any questions? Any further questions? Okay. Thank you all so much. and in particular, Chief Justice Marquez, thank you so much for your leadership and really bringing light to what is happening across the state in our courtrooms and the staff as well. We really appreciate it. Thank you, Madam Chair, and thank you again for indulging me. Appreciate it. Of course, of course. Okay, we're going to go now to our folks in an amend position. I call everybody up in one panel I have Billy Rios Matthew Packard Lacey Hayes Michael White and Tim Reagan Okay, is there anybody else in the room that wants to provide testimony in an amend position on this bill? If so, please come forward. All right, we're going to start with you, Ms. Hayes. Welcome. MS. Wonderful. Thank you, Madam Chair, members of the State Affairs Committee. My name is Lacey Hayes. I am the Executive Director of the Colorado Lobbyist Association. We represent over 100 individual professional lobbying members. We are in an amend position on this bill today just because we want to be a part of this conversation. The Colorado Lobbyists Association supports and advocates for strong security measures in this building. We also support strong security in the judicial department and our friends there. We all want to be safe and keep elected leaders safe. The reality is all of our members are here in the building full time for at least the 120 days of the legislative session. We would like to see uniformity of treatment for everyone who calls this building a workplace or space. We have had great conversations with leadership over the past three years and have been assured that our issues that we have raised will be a part of the conversations around new security measures moving forward. We would like a seat at the table or the opportunity to have open and honest dialogue with the position of the Administrator of Legislative Safety as it is being stood up. We will continue to be your partners in this important conversation. Thank you for your time today. Thank you so much. Welcome. Please introduce yourself and the floor is yours for three minutes. Thank you very much, Madam Chair and members of the committee. My name is Matthew Packard. I'm a colonel on the Colorado State Patrol and have the privilege of serving as our agency's chief. And I'm here testifying on behalf of the patrol in an amend position. But I will just start by saying we are in support of so much of this bill and recognize what it's trying to accomplish and want to be strong partners with the General Assembly and moving forward to create an environment where you all feel safe and secure to do the important work for the people of the state of Colorado. specifically the portion of the bill that we're seeking to amend is the portion that creates a new police agency and I use that term in specific the position that's being created has been described by Vice Chair Clifford that may be a post certified officer. The sunrise portion that's in the bill does create a new police agency under the peace officer standards and training. And that issue and the potential for having another police agency in the building causes me concern about our ability to work together to keep this building safe. I recognize that there's concerns about how that might work and who works for who and those types of things. and I was actually recently it was brought to my attention there are members of the General Assembly that have concerns about the same people that are being that are responsible for your safety also might find ourselves testifying on policy for or against legislation that's being run and I honestly it hurt my heart a little bit to hear that but I can I can understand where that concern might come from I think this position would go a long way to help bridge that gap I don think it needs to be a police officer Having a police agency comes with it a lot of other concerns that I'm more than happy to talk and take questions about, where the root of that concern comes from. But just in the minute I have left, and perhaps it's nuanced from someone not within the patrol, But I would tell you that the way that we're structured is intentional. There's a captain you've probably met, Brandon Nathlich. He's our legislative liaison. Brandon works directly for me, works directly for the chief. The folks that are responsible for the safety and security of the building, they have a member of the command staff, Major Mike Ryan, that oversees all of those operations and the major reports to a lieutenant colonel. And those were all of those operational decisions are made. I certainly get briefed on those. There's some opportunities where I might engage from my level. Captain Athlitz does not have that opportunity, although he has briefed on those for his awareness so he doesn't look silly when you all ask him questions. But that's the intention of why that structure is there is to provide separation between policy advocacy and the protection of the folks here in the member. I also briefly just want to be up front. CDPS State Patrol is adding a fiscal note currently to the bill. that has a lot of the background of that is because a lot of the maize and shalls and I've had great dialogue with vice chair Clifford about that I'm confident we can find a solution to that as well but at the end of the day the broad language of the bill would require us to have extra people here to take on the duties that might come from the executive committee but again looking for a thoughtful dialogue about the amend position there but in the end very supportive of what this bill is trying to accomplish and want to make sure that we do our part to work with you to create a safe and secure environment here at the Capitol. Thank you. Thank you very much. We're going to go online now. If you want to come off mute, introduce yourself and the floor is yours for three minutes. Mr. Porter. Tim Regan Porter. Yes, thank you, Chair, members of the committee. My name is Tim Regan Porter. I'm the CEO of the Colorado Press Association, and we're in an admin position. And I want to start by noting that we've been in contact with Vice Chair Clifford and have had very productive and constructive conversations about the bill, and we appreciate his willingness to engage with us on these issues. And so I just wanted to lay out some of the issues that we've been discussing and start by recognizing that these are very real safety concerns that we understand and the three threats are serious. And, you know, I'm sure all parties want to respond thoughtfully and recognize the tension between privacy and transparency and the need to get that balance right. So really two things that I wanted to flag. One relates to the requirement to post certain information on the Secretary of State's website. There's an amendment coming, and we urge your support of that. The current policy does make it much easier for journalists to find and do the information they need to report, and particularly on a bulk basis when they're looking at candidates overall. And I understand that that information will now be allowed to be redacted, some of the personal information, which is certainly understandable. I think there might be a little more work to be done there to make sure that basic eligibility requirements like residency or potential conflict of interest can be investigated. And so we've got some ideas around making sure that that doesn get hindered And second on the protected person provisions you already heard some questions on this and I want to reinforce a little concern there Certainly, most of the personal information that is identified that's currently in law, we understand why that should not be published. But as you widen this to include elected officials, it does raise some issues, not only the photograph of the candidates, but also there's, you know, it also includes photographs of their vehicle, for example. And so while in most cases that is fine, it does raise some edge cases where a news, a local newsroom could be exposed to some liability and even the threat of liability is a real concern. So if a candidate, for example, was fleeing a crime scene days before an election, the threat that that could be litigated could cause us to take that down within 72 hours. And so I think there's just a little fine tuning that as you expand these provision, there might be some some issues to address in terms of what is considered protected and subject to take down. And so our goal here is not to weaken provisions, but to make sure that they're narrowly tailored and don't have some unintended consequences that show reporting and the public's right to know. It's obviously a long bill that we support the general provisions, but just wanted to say there's a little bit of additional work, and we appreciate the sponsors and committees' willingness to work with this. Thank you very much. Members, what questions do you have for this panel? Thank you Madam Chair thanks for being here I guess my question is for Chief Packard I'm not quite sure what you're asking because we have across the street a judicial seems like this same position has worked pretty well for them and the argument that it maybe is sort of a turf war that there would be different competing officers from different jurisdictions is not particularly compelling. So I don't think that's what you're saying. So why would the executive committee be unable to hire this person? And why wouldn't they be able to have the freedom to select them from a variety of backgrounds in law enforcement? Chief Packard. Thank you very much, Madam Chair and Representative Froelich. You're right. This isn't about who's who or turf war. I would tell you that there's a lot of similarities with judicial, but there's a lot of differences as well. As you heard the Chief Justice and much of her testimony was talking about the different courtrooms around the state. In this particular area, the primary of this work is happening right here in this building. And I would tell you that there's not a day that goes by that the State Patrol doesn't work shoulder to shoulder with another policing agency. I think this building is unique. And this building is because the responses that happen here are instantaneous. And they're very, very quick. And so having a consistent level of training, having a significant policy, not necessarily in the construct of legislation or law, but in the way that agencies respond to certain things. And ultimately, in a rapid response type of a situation, someone, that's part of a response, someone's in charge. And it's not about who gets to be that, but it's having a consistent level of training, equipment, authority, what I'm looking for, but I guess ability to respond in that specific incident. And so that's part of that. And then the oversight part of that is also of concern. And Representative Clifford also mentioned Rule 28 and some of those things with POST. But there's a key difference here. From A policing perspective, when a member of the Colorado State Patrol is put in a position where they might use force, that's reported and goes through a robust review process. And ultimately, there's a finding that was within policy, within law, or it was not, and that goes in a different spot. And an agency like what's here, based on the current legislation, that ability to have that review is left to the executive committee. And while I have all the amount of respect for the executive committee, having the opportunity to have policing professionals that do that and then have that oversight through post, I think is a more consistent way to do that. So it's definitely not about whose backyard we're in. And there are also the complexities, again, of this building, two different chambers, and you have the first floor as well. And so there's a lot of different stakeholders at play to have that consistent level of policing. That's what we're looking for here. But again, the position, I think, is of tremendous value and in full support of that. All right. Let's move on to Representative Luck and then Bottoms and then Verre. Representative Bottoms. This question is actually for Mr. Reagan-Porter. you're talking about some of the things that actually I had a little bit of concern with in the bill. As I'm reading down through this, I get to section 8, 9, 10, and it seems to be a complete different thing, a complete different subject. It doesn't seem to be the protection of the groups that are mentioned or the extra person or whatever. It just seems to say, oh, by the way, we're going to throw in some things that make it more difficult to know who the legislators are or for disclosure statements or some of that kind of stuff. And while I understand it, I am one of these people, I still think that there needs to be that openness to the public. So, Mr. Porter, maybe just kind of expound a little bit on what you were saying and how you would amend that. Mr. Reagan Porter? Sure. Thank you for the question. I still need to spend more time with the bill. It's a long bill, and we just really started reviewing it in detail. But in general, I think I'm particularly worried as you extend it to elected officials, and I understand the need for that in terms of the security concerns, some of the other, the broad protections of some of the types of information, there may need to be a difference maybe in the protected person category and what is protected. or maybe we need to revisit what is protected in the context in which it is made available. So I'm particularly concerned about candidate photos, vehicle photos, maybe property photos, because as was noted from the committee, lots of people take candidate photos. Again, it's themselves released photos. A candidate's vehicle could be captured in public, leaving the scene of a crime or just a normal everyday business, and so it might be part of a news story. And so having that taken subject to a takedown request, potential liability is where the concern lies. So I think there probably is a way, and I need to spend more time thinking how you would word it but I think there probably a way to protect the key information but not go too far in hiding legitimate information that is a legitimate public interest All right Representative Furet and I do want to note that we just got two minutes left on this panel. Thank you. Colonel, when you brought that concern to the bill sponsor, did they talk about any sort of amendments to address your concern of having that not be classify it as a police officer chief Packard thank you very much madam chair representative Ray representative Clifford and I have had lots of conversation I'm not sure we see eye-to-eye on this specific point but it's a conversation I hope to continue to get to the bill where we think it would best serves both of the interest representative Bradley thank you this questions for mr. Porter at the sponsor and I had a discussion Friday night and And we were just talking. Do you think that sections eight, nine, ten will leave it so that people will be more apt to not disclose and live in the district that they are running for office in? I'm sorry. Who was that for, Rep? Mr. Reagan Porter. I think if I understand your question, I think there is that potential. And so, you know, one of the concerns, you know, I think the sponsor also shares, for example, for redacting information from even from the Secretary of State site. Multiple entities will want to be able to verify that candidates live in the district that they're running for. And so I think there needs to be a mechanism in which to get that information, even if it's not for dissemination, like the actual address. There are certain news gathering and governmental uses of that information that should be available. And so, you know, one way to address that, certainly in terms of the candidate disclosures and the financial transparency would be to clarify just the fact that you're redacting this from the public website does not change its status as publicly available information. Other laws cover that so that a reporter or another individual or member of another department of government could get that information to verify, for example, the candidate's address. But it's not just going to be publicly out there on the Internet so that there are probably multiple ways to address the different concerns that come up. It's certainly verifying the candidate is eligible, looking for conflicts of interest in terms of, you know, ownership, property, that sort of thing, I think are legitimate reasons that information might still need to be available, even if it's not out there publicly on the Internet. Representative Luck, last question. Thank you, Madam Chair. In light of the time we're already over, I have a question for both the lobbyists and the CSP, so I think I will just take it offline. make a note here on the record that I'm going to ask them offline. Okay, that sounds great. Thank you so much. Is there anybody else here with us today that wishes to provide testimony in any position on this bill? If so, come forward. Okay, seeing none, the witness testimony phase is now closed. We'll bring our sponsor back up and move on to amendments. I understand that we have some amendments, Vice Chair Clifford. Yes, Madam Chair. Let me hand those to Ms King Yeah not ideal All right, we're going to give her just a moment to distribute those, okay? Thank you. All right, Vice Chair Clifford, everybody should have amendments now if you want to start by moving your first amendment. Thank you, Madam Chair. I move L1 to House Bill 1422. Second. I'm going to give that one to Farray. Go ahead and tell us about the amendment. This is a technical amendment just to strike one word. All right, any questions about the amendment? Any objection to adopting the amendment? Okay. Seeing none, Amendment L1 is adopted. Vice Chair Clifford. Madam Chair, I move L2 to House Bill 1422. Second. Seconded by Representative Wynn. Tell us about the amendment. So this is going to be in the vein of starting to deal with what you heard from both the Press Association and, first, I'm very committed to dealing with their amendments to make sure that we both create distinctions for the protected persons. I don't disagree with Rep Luck or some of the information there. And we really are, as I work through that piece, looking for the least restrictive and the most open opportunity to make sure that what we're only doing is trying to carve out the specific pieces that are needed in order to protect your security while trying to maintain as much balance as possible for us to get openness. So I will be continuing to work on that piece pretty significantly and in detail to make sure that we get those pieces right. That is what we start here, is this corrects where the personal financial disclosures were not going to be posted online. I have always thought that that approach was a mistake, and now what we're doing instead is telling the Secretary of State's office that they should redact anything that is of personal nature and still post that form online and or update the form so that some of the fields that are just going to always be redacted just don't exist on that form, whatever is appropriate in order for them to make sure that that works. And that is what this amendment does. We will have more amendments on SECOTS in this vein, just so you know. So I wish that I could have gotten something a little bit better on address checks in this amendment today. You all probably know I am one of the sleuths for the party who does a lot of that checking and will go next door to someone's home and take an affidavit and say, do you know your next door neighbor? They're running for office, et cetera. so it a fascinating thing for me too to try to figure out how we both give people the address so that it can be verified and also don give the address And we may not figure that one out and we still working on that piece But we might come up with a way that the media can have it or something that is a bit more restrictive So we're still working on those pieces. This is step one of that. This is saying we're going to make sure that the PFDs are still posted online and we're redacting them. And I request an aye vote. Are there any questions on the amendment? Representative Luck and then Espinoza. Thank you, Madam Chair. I have one technical question and then one substantive question. My technical question on the amendment, line 9, it says page 15, lines 11 and 12 in substitute were striking, right? It should be page 15, strike lines 11 and 12. Is that the intention? I should make sure. In the original draft, it was striking the language, so the amendment is now unstriking it. So they're striking the lines, but they're substituting the text back in without a strike through. Would you like to bring the drafter up? I think that answered your question, yeah. Okay, I think she's coming up anyway. Oh, an instruction. Ms. Myers. Thank you, Madam Chair. You turn your microphone on, please. Thank you. I thought I was on. Thank you, Madam Chair and Committee, Nicole Myers, Legislative Legal Services. I apologize. We are missing an instruction. It should be page 15, strike lines 11 and 12 and substitute. Thank you, Representative Luck. Sorry. Make sure that that, well, I think. Can we adopt that as a conceptual amendment in this amendment? I will withdraw the motion and I'm going to offer a motion for conceptual amendment. I think you have to make it to the existing motion. Got it. Oh, yes, because we're doing the amendment to this amendment. Madam Chair, I move conceptual amendment number one to amendment L2 to House Bill 1422. And that conceptual amendment will be to add the words page 15, lines 11. strike lines 11 and 12 and substitute. So we're going to add the words strike after the numeral 15. Okay, can I have a second? Second. Seconded by Representative Locke. Okay, just so everybody's clear, we have a conceptual amendment that we're going to add strike after page 15 on line number 9. on Amendment L-002. Is there any objection to this conceptual amendment? Okay, seeing none, the conceptual amendment is adopted. Now we're back on Amendment L-2. I'm done talking about it. Wonderful. I don't think your committee members are. Representative Locke, your follow-up question. Thank you, Madam Chair. Yes, my substantive question. It's my understanding that the disclosures we file are required even when we're not a candidate. And when we're looking at the section here, it's talking about candidate affidavits, candidate disclosures. And I just want to make sure, this might be a bill drafter question, that when it talks about candidates, that really it's going to apply to those people who are not running again but who are currently seated in office. Vice Chair Clifford. If you read further, there is language that addresses both, whether or not you were a candidate or whether you were elected or the required persons. It does address it. Somewhere in the 61 pages. Sorry for missing it. My apologies. Okay, thank you. I'm so sorry about a 61-page bill. I tried to double it, but they wouldn't let me. Thank God. Hallelujah. Ms. Meyer, are you good, or did you want to add anything? Oh, no. Thank you, Madam Chair. Nicole Meyer's legislative legal services. Representative Luck, are you? So the first chunk is the candidates. The second chunk is all the other public disclosures for elected officials. Representative Luck. Thank you, Madam Chair. And I see that. I see Section 8 is just the general disclosure, but all we seem to be changing in that is adding in mailing, address as opposed to just a street address. I'm looking at page 14 and then section nine, it's talking about the candidate affidavit where we're now amending it based off of this amendment. And then section 10 is talking about disclosures, but really is not talking about the information that is referenced under the section nine. It's talking about the real property we own, because presumably if we own our own homes, then you can cross-reference the legal description with the county records, such as to be able to find out where someone lives, and so that then defeats the purpose. And I just wanted to make sure that the Section 9 that's focusing in on the candidate affidavit is the section in statute related to the candidate affidavit and elected official who's not rerunning affidavit, if that's the same section. Otherwise, I feel like we need to have another amended section in that other place in statute. Ms. Myers. Thank you, Madam Chair. Representative Luck, if I can get back to you about that, I know that Section 9 covers candidates. Section 10 covers current elected officials. I'm not, I wasn't aware of the distinction between elected officials and elected officials who are not running again. So let me check on that and get back to you if that's okay. Okay. Representative Espinoza. Thank you, Madam Chair, but my question went to the strike question, and I'm done. Love that. All right. Any further questions on Amendment L-002? Seeing none, is there any objection to Amendment L-002 as amended? Okay. Seeing none, Amendment L-002 as amended is adopted. Are there any further amendments? Okay, committee, any further amendments? Seeing none, the amendment phase is now closed. Bill wrap-up. Vice Chair Clifford. Thank you, Madam Chair. You know, this bill has been a lot of work, a lot of meetings, a lot of conversations. I'd like to thank the Colorado State Patrol for their endeavors. They have been welcoming and inviting. Major Ryan, I don't even remember how many meetings we had over different aspects of their function and how they function. And I do want to make sure that we're not hurting the colonel's heart with information. We are very proud of the men in blue in this building and how they function. There is, however, a disagreement with a policy position about how we structure this position. And I don't agree that the executive branch should be telling the legislative branch who and how they should hire for any position, especially when we're creating something that we've done before. We have seen that it works. And I just not completely sold on the why or quite honestly even the lobbying effort We had the same complaint when I was creating the Administrator of Judicial Security across the street And the justices did come back at that time and said you know this is what we need And I want to make sure that we're responsive to their needs. But we may want this position to be someone that has been a police officer or is a police officer. And I can tell you, maintaining a post-certification in Colorado is, you know, I don't want to go through a police academy at 50 if I go work someplace for three years and then lose my post-certification. certification. I also think that in the future it is quite predictable that somebody that has served for a very long time in a peace officer position is likely to be a, who I think would be an excellent candidate for one of these roles. So I'm kind of, you know, kind of pince-ent, if you will, about that we have a policy disagreement. I want to point out, however, that we're talking about an executive branch of the government. And the judicial had the same conversations with us when we were creating that position. And we also did go through the post-sunrise process, the same as outlined in this bill. And we did create a new position, the same across the street. and we had the same concerns about how this person could maintain their training and how this person would function in those incidents, et cetera, and we ultimately determined that that was appropriate. And from all intents and purposes that I have seen, it is working quite well. I have appreciated all of the other offers that they have given us. We met a good week ago, I would imagine. And I was clear in the bill and the original draft that we were about to introduce that they were quite correct where it looked as if there was some overlapping responsibilities. And I very surgically went through the bill and made sure that we kept things very distinct and clear that the Colorado State Patrol are the police for the building. There is no intention for anyone at this level to have a person that takes this position have to be the police in the Capitol or to go put hands on people or to put themselves in a situation. However, if we hired somebody that had been doing that for 30 years, I also don't want to tell them that they can't, if we hire someone to come be our person to go and protect us in some place outside of this building and they are well qualified, I don't want to tell them that they are not allowed to bring their firearm as our peace officer into this building or to go to our town hall and stand and be that if that is what we choose. And I think that it's important that we let the executive committee, you know, the leadership of both chambers make that determination long into the future. And that's why I have been firm on that position. And it's the only sticking point out of 61 pages that I've had with any organization or entity on any part of the bill. In this bill, you'll find that lots of people have had lots of ideas and we've adopted all of them. And those of you that know me know that I am typically that way about most anything that works. So I not certain where we will go in this conversation but I do want to make sure that I put on the record both my appreciation and you know just quite frankly a disagreement between the branches currently I don necessarily want the governor to be specifically in charge of the person that's making all of my security decisions, and it's not that that's anything about that, but quite honestly, I've had the Department of Public Safety show up in positions on behalf of the governor's team on bills that had nothing to do with the Department of Public Safety. So as long as in this building they are also advocates for the executive, I think that it's important that we have somebody that is wholly independent and works for us. I'm proud of where this legislation has gotten. I'm sorry that it came out so late. We have very intentionally not introduced it until we got all the major policy pieces done. As you can see, it's a lot. There's a lot in the bill. I have appreciated everyone that's worked with us on it, and I continue to look forward to all the productive conversations that we'll have beyond today. So I request your yes vote and thank you very much for your trust. Would you like to move your bill? I would. I would like to move House Bill 1422 as amended to the Committee on Appropriations with a favorable recommendation. Second. All right. Representative Frey seconded. Anybody have any closing comments? Representative Espinoza. Thank you, Madam Chair. Thank you, Representative Clifford. and thank you to all the witnesses that testified today. I am very impressed. I just want to start with the record to say I'm very impressed with the Chief Justice's actions. As you know, we gave additional funding or recommended the support for additional funding supplemental in the beginning of the year after hearing the SMART Act testimony and the Judiciary Committee from the Chief Justice and the special need to have an individual to get her able to get to the place where she could interact and provide the input, I think that we've received to that part of the bill, and I really do appreciate all of those efforts, and the bill, as complicated as it might seem, is very well crafted. However, I do want to go on the record to say I do think we need to continue to work with the State Patrol, because I am persuaded that the one issue that needs to be addressed, even if we have an independent individual from the legislative purpose, which I see that as well, is the question of how we have accountability for that individual if they are not post-certified. because if the individual is a post-certified individual, then they would be subject to the accountability and review subsequent. But if we just call them a peace officer and they're not post-certified, I still don't know how that process would happen if they did have to execute excessive force or in some way do some work. So I think maybe that's a place to go down the road in terms of a compromise of those positions because I can see the value in why we would want to have a separate individual for the executive or for the legislative branch from the executive. But I do think there's still some of that crossover issue that would need to be addressed. And I also just wanted to put on the record that I hope we continue to work on that language of tweaking because of the photographs and those issues in terms of that, because I do think there may come a time where the Secretary of State would easily put up photographs of candidates so that people would have that information as they're voting or other kinds of issues. So I do think we need to clarify the language to make sure that we're not foreclosing opportunities for that information to be available to the public in a more full way when we're talking about candidates in terms of those photograph issues. It's a funny little holdover from the law. I'm sure when we don't look at rewriting the law, we don't think about all the intersections necessarily. I know I found myself in that capacity sometimes to writing my bill to the provisions that we need to but then not seeing how it directly interacts So I think those were two points that we could work on And I know that Representative Clifford you will do so but that why I wanted to put it on the record and I appreciate all the effort to date It be a yes in committee today with the hope that we can figure out some answers. Representative Carter. Thank you, Madam Chair. I just wanted to echo definitely what Representative Espinoza said. I would have many questions that I have regarding the internal piece for the legislature is the privacy concerns, and I would want to sit down and talk to you regarding what does that look like when we're no longer being – I don't want to say monitored, but protected by maybe someone who is more embedded within us. And is there any I would have to have some questions about any privacy concerns for the individual legislators as far as the piece regarding courthouse security and working through that. I literally after we had the conversation, I went and looked at the individual. Like I said, one of my friends was 80, almost 80 year old man. actually almost 70 year old man broken clavicle fractured um basically he was body slammed by an individual inside the courthouse um there's definitely been a tenor that has changed um it's not just for members of the court staff like i said it's also the defense attorneys, it's the DAs, it's the judges, it's the judges' staff. I started going through the comments of the individuals in the article, and they were all over the place from an individual, you know, that's what he deserves, you know, he's a lawyer, I hope I don't have to sit on that jury. There is a tenor in the air regarding elected officials and just officials in general. So I appreciate that portion of the bill that's going to start looking into what does that look like and what can we do to protect those individuals. I've never felt unsafe inside of a courthouse, but I have watched that fear maybe was not justified. Not being unsafe was not justified because of some of the stuff that I've been seeing. So I appreciate that portion of the bill, and I'm going to be a yes. Representative Luck. Thank you, Madam Chair, and thank you, Representative Clifford, for taking this on. it's no small undertaking and definitely essential for all of the branches and for all of the people who work in them and frequent them and come and engage them as citizens. I really do appreciate it. I have a number of concerns about some of these specifics. I'm grateful that you're willing to continue to work through them. As someone who has had different issues in the capital complex, I'm grateful that these conversations are ongoing I do as I mentioned during the question time want to flesh out some of the conversation with CSP related to how they see this all working out especially as relates to physical changes to the building that may add in security and who would have authority there in the event that the identification and assessment of the nature of security needs and risks by the Administrator of Legislative Safety were to rise to the level of needing new physical items. And so I just would like to flesh that out with them. I'd also like to hear more from the lobby corps as to what their issues are and whether this bill is going to address them. I have some concerns about the creation of this new authority and what that all looks like. And with Tabor, I just want to get some of those things straightened out, and I haven't had a chance to read the fiscal note, frankly. So I want to do all of that before I give my yes vote, but I am well on my way to giving a yes vote on the floor as these things get worked out. But I just want you to know that, again, I appreciate all of the hard work that you've put into this. Representative Bradley, and then Ricks. Thank you, Madam Chair, and I'll just ditto what the representative from Penrose said. and thank you for the conversation Friday night. I really appreciate you coming over to us and spending. We spent quite a bit of time going over this bill, and you didn't have to. We were all tired and kind of wanted to go home. But as someone who had a restraining order against a man who just spent a month in jail for violating that restraining order, I appreciate this bill. A couple of things that I definitely want to talk about Tabor and to Colorado State Patrol and kind of see about some language as far as that goes. But this is a big ask, and there's not a lot that I feel like I need to finagle. So I appreciate you working with your stakeholders and bringing an important bill. We are seeing a change in this country right now, and it's a scary change, especially for people that run for office and who have children that are getting brought into this mix. So I'd like to see maybe protections for our kids, too, because it's not fair. They didn't sign up for this to be put in these places either. so I'd like to talk to you offline about maybe protections for children as well. Thank you. Representative Ricks. Thank you Madam Chair and Rep Clifford. Thank you for bringing the bill. There's a lot of good stuff in here especially with the climate of violence that we're seeing against elected officials. The big concern is what everyone else has already said but I just want to put it on the record. I want to see formal mechanisms in place for the, you know, to prevent the conflicts that could arise between the Denver PD or the state patrol and, you know, anything like that that might happen here on the complex. So I think you do need to have some formal mechanisms in place so there's not jurisdictional conflicts that will arise or how will those be resolved if they do arise. So that's what I would like to see. But I'll be a yes for today. Thank you. Any further closing comments? Okay, Vice Chair Clifford, I want to add my thanks to the chorus here. This is a big bill. I mean, I can imagine that you've spent hours upon hours negotiating and navigating and figuring out what the right formula is that you are ultimately going to bring forward. I also want to thank you for your continued collaboration with Chief Justice Marquez and the court system because, you know, people should feel safe where they work. People should feel safe when they're inside of a courtroom, outside of a courtroom, and not face additional violence for the work that they're doing. And I definitely echo and appreciate the comments from Representative Carter. I agree. The tenor in politics in America has changed. It's shifted so drastically to the point that we don't just disagree with each other. We find it acceptable to try and end each other lives and I don think there a single lawmaker in this room that doesn know the experience of opening up an email and receiving something absolutely horrendous or doesn't know what it's like to receive a threat or have somebody show up on your doorstep it's it's scary it really is and unfortunately that is that is the climate that we are in and security has to be a conversation that we're actively having and so I thank you for that and I look forward to seeing how this bill continues to evolve and how you continue to do the work with stakeholders and address some of the questions that were brought forward today in committee. So thank you and with that Ms. King please poll the committee. Representative Bottoms. No. Bradley. No for today. Carter. Yes. Espinosa. Yes. Roelick? Yes. Luck? No. Wynn? Yes. Ricks? Yes. Clifford? Yes. Madam Chair? Yes. House Bill 1422 as amended passes on a vote of 8 to 3. Thank you very much, Vice Chair Clifford. We'll have the second part of your show after the next bill. I hope I can skip that one. All right. Senate Bill 147 with Representatives Johnson and Froelich. Welcome. I know it's so awkward with the column in the middle. All right. Who would like to begin? Representative Johnson. Thank you, Madam Chair, and thank you, committee members. It's my first time here in state veterans' military affairs this year, so it's good to see you all. Bring forth Senate Bill 26-147. What you heard in the Senate, please scrap that from your head. This has been highly amended and we're bringing a re-engrossed version that now deals with making sure that we're bringing transparency by regulating the executive branch, the judicial branch, and the office of the governor. And when they come to testify on bills or to work on bills, we're making it the same standard as lobbyists currently have, so that way they have to document what they're doing, whether it's opposed, support, amend. We had heard the question because many times, colleagues, I know I've done it, you bring a department in for questions only, that is still allowed. We just want to make sure that the people of Colorado can know what's happening. And we do see a lot of pressures here from the first floor, and we want to make sure that we're keeping that, you know, coherent and straightforward, understanding that when we talk to each other, and, you know, I might say, well, this is what I've heard from one liaison or one department. It could be misinterpreted. It could be misunderstood. And we get into confusions where we look at each other and say, are you sure they were supporting this? We're hearing something else. Are you sure they want this amendment? This helped all of us keep it together and would very much encourage a yes vote so that we're making sure that, you know, the same standards. And then it does add the two-year window. So when one of us leaves this building, you wait the two years like you would to go into the lobby corps. You wait then before you go into an agency or department. And with that, I will turn it to my good co-prime. Representative Froelich. It's about to sneeze. I'm sorry. Thank you very much, Madam Chair, and the State Veterans Military Affairs Committee for the opportunity to present Senate Bill 147, a bill that clarifies issues around lobbyist disclosures and adds transparency to our legislative process by requiring legislative liaisons of all agencies to abide by existing rules for other lobbyists. And thank you to Rep Johnson for spearheading this effort in the House At its core this bill is an opportunity to set a new paradigm for our next legislative session to rebalance the power between branches because for the past eight years there has been an imbalance made worse by the fact that legislators are caught unaware when the executive branch operates with an historic intensity as legislation moves through the legislative branch. The bill addresses some longstanding questions that have been around the lobbying. It eliminates duplicative reporting. As mentioned, it deals with state employees, and it also clarifies when members of the legislature go leave the legislature, how long they need to wait before not only lobbying, which is existing law, but also taking on a legislative liaison role. This is a popular bill that many of you have already co-sponsored, unanimous out of two committees in the Senate, with less than a handful of no votes in the Senate on third reading, but is, as was mentioned by my fab, co-prime, not particularly popular with the first floor. and we ask for a yes vote. Members, any questions? Okay, I'm not seeing any questions. We'll hold for picture taking. Okay, all right. Thank you all so much. We're going to go ahead and move into witness testimony. We have three individuals signed up. We will call them all at once. There's Kristen Hartman, Lacey Hayes, and Kashina Weaver. If there's anybody else here in person that would like to provide testimony, please come forward at this time. Welcome back, Ms. Hayes. We'll let you kick it off. Do you mind if I let Ms. Weaver kick it off? Sure. Share the fun. Go ahead. Share the fun, yes. Good afternoon, Madam Chair, members of the committee. Kishina Weaver. I am with the Colorado Lobbyist Association along with Lacey Hayes and pleased to be here today. I am going to kick it off by just explaining a little bit more what the bill does. I know you heard from the sponsors just a moment ago and they did a great job of kind of setting the stage. And just want to be very clear, this is a pretty simple bill, especially as it's been amended coming out of the Senate. It makes some clarifying changes to statute to ensure that all individuals and entities that are engaged in the public policy development process are disclosing those activities and eliminates duplication of some of the efforts that have been happening so far. It does include the executive branch and the state agency liaisons in this transparency, which we think is very critical and seems to be in agreement with many of your colleagues. It also creates a revolving door restriction of two years for former legislators to become either legislative liaisons or fill a position similar to that, similar to what's already in place for legislators becoming contract lobbyists. And it does create an attestation for volunteer lobbyists, which is something that has been identified as being missed. So a volunteer lobbyist is intended to be somebody who is not paid to do this work, and so folks have asked for some sort of attestation that they're not being paid. You know, we've heard a few different things kind of running around this bill, what it does and what it doesn do and what we are really looking for is uniformity for all of those individuals that are engaged We are concerned about creating loopholes about letting people through going to kind of fall through the cracks here And we really urge your aye vote. Sorry. Thank you very much. It's okay. Thank you, Madam Chair. Lacey Hayes again, Executive Director of the Colorado Lobbyists Association. We strongly support Senate Bill 147. I think you could hear that from Kishina's words. I will just reiterate that this bill is simply about increasing transparency in the public policy developmental process. That's what this bill does. It is extremely difficult for us to understand why the governor's office and the judicial branch are not supportive of transparency. If you know right now, current law says that the judicial branch is completely exempt from any reporting. We know that the state liaisons, they do report, but their positions are not applicable right now. And then the governor's office does not have to have this transparency at all. Frankly, the amount of time that it takes for a lobbyist on a monthly and a 72-hour basis to register is negligible. even for the largest of firms who do track the majority of legislation coming through the process, which is similar to what the governor's office is doing right now. There is no functional difference between legislative liaisons and the lobbyists or government affairs professionals who already meet the transparency requirements set in law. Lobbying activity by any person or entity should be reported, especially when public dollars are being spent. in an effort to amend, support, oppose, or even monitor a bill. This is the intent and the goal of Section 5 of Senate Bill 147. Also in this section, when we're talking about the judicial branch, which, again, previously did not have to report any activity, we had a bunch of independent judicial agencies come to us when we introduced the bill. They were not original stakeholders. and they said, look, we don't want to just be represented by one judicial liaison. We want to represent ourselves and we want the transparency. So if the independent judicial agencies can say, we don't do this reporting and we want this transparency, why are there other entities that say that they don't? These include the Office of Administrative Services for Independent Agencies, Office of Public Guardianship, Office of the Colorado State Public Defender, for example, and there are more. Again, they all assisted us to ensure that they could have their own way to have the 72-hour bill position reporting. We are here for questions, and we ask for your strong support. Thank you. Thank you very much, and our witness surprise. Hi. Did you call my name? No, it's great. Okay, sorry. My name is Kirsten Forseth, and I'm here representing the Colorado AFL-CIO in support of Senate Bill 147. Colorado has long required lobbyists to work in this building to register, report their clients, report their income and expenditures, and disclose their positions on bills. That system exists for good reason. When legislators know who is trying to influence them and on whose behalf, they can evaluate the information they receive with full context. It builds trust for lawmakers, the press, the public, and all other lobbyists in this building trying to compete on a level playing field. Under current law, the executive branch does not have to comply with these requirements despite engaging in supporting the amending and opposing bills. Too often an agency's position on legislation is not disclosed until moments before a committee hearing communicated to the bill sponsor only as the agency prepares to testify. This leaves proponents and legislators with no meaningful opportunity to respond to the agency's concerns, offer clarifying information, or explore amendments that might address them. 147 changes what should have been happening all along. Transparency and a level playing field for all those working to pass laws. Disclosures don't threaten good faith conversations about policy. They give it credibility. If the state's position is sound, disclosures will serve to validate it. Sunlight ensures that every voice in the process is visible so that the public and the fourth branch of government can hold decision makers accountable. This committee has an opportunity to close the gap in Colorado's lobbying disclosure framework and IRGS vote. Thank you very much. Members, any questions? Representative Ricks? Thank you, Madam Chair. And this is for any of the witnesses out there. I do have a few questions. The first question is who's going to monitor the compliance on this? The bill is assigning filing responsibilities to the Secretary of State, but do they have the capacity to audit this and to enforce this new disclosure? Thank you. Ms. Weaver. Thank you, Madam Chair. I have to remember that. Thank you for the question, Representative Ricks. Currently, the Secretary of State's office does already monitor compliance for all lobbyists and all individuals that are required to register. this would not change any of those requirements on their behalf. Okay. The next question is, in the second category that you have created for lobbyists, you talk about incidental duty. How is that defined? Ms. Weaver wants to answer that. Ms. Hayes, go ahead.
Thank you, Madam Chair. Representative Riggs, what section is that? Thank you, Madam Chair. We say second new category is for individuals who lobby exclusively for a nonprofit organization and only as an incidental duty of the person's employment with the nonprofit. So what do you mean by that? How do you explain that? Ms. Weaver. Thank you for that question as well. That section of the bill has been taken out. So there is no longer a requirement for the nonprofit association to have a separate registration. Okay. And then thirdly. Representative Ricks. Thank you, Madam Chair. The bill is describing what participants must not do, but doesn't spell out the consequences for violations such as lobbying outside of the one-mile radius or on behalf of an unregistered person. Can you speak to that? Ms. Hayes. Thank you, Madam Chair. Representative Ricks, that was also ripped out of the bill. It was the advocacy day participant section, which we were trying to bring some transparency to all the lobby days that you see down here. It did not bode well to both sides of the aisle, RMGO and the ACLU. So it's gone. Okay. Thank you so much. Okay. Let's go to Rep Wynn, and then we'll come back to Rep Bradley. Thank you, Madam Chair. I have a couple questions. Question number one, is there a difference between a government lobbyist and a non-government lobbyist? No. Does someone want to answer that? I'm happy to. Ms. Weaver. I can answer it. Ms. Forseth. So for the purposes of this building no You will see executive staff arguing that they need to support they need to amend or they need to oppose a bill And I think what's important to decipher here is lobbying activity. This means you are reaching out to legislators and having a conversation. I'm not talking about you reading a bill, and now all of a sudden you're having to register on it. That's not what we do. That's not what is understood of lobbying. The intention behind this is to say that lobbying, if you are asking a bill to change in any sort of way, you are letting everybody know that you are doing that. Representative Wynne. Madam Chair, you answered my second question, so I'll go to my third question. As we all know, one core aspect of government relations is contacting, you know, actually, is the order of presidents, right? What other states has a similar process where government affairs lobbyists are in the same category as non-state actors, essentially? Is this completely unique? Where are we in terms of other states? Ms. Weaver. Thank you, Madam Chair and Representative Wynn. I'm not entirely sure what all other states have done in this realm. I think everyone's statutes, and I've worked in a different state previously, and I will say it is very hard to compare apples to apples with any sort of policy because each state structure is different, and I don't think that this is any different than that. So we haven't done any research on this. Our initial goals really with this bill were creating the transparency and creating some of the redundancy for the current status of lobbyists, working with the nonprofit association, working with the advocacy days, as Representative Ricks had brought up, and the attestation. The rest of this has been brought into the conversation over time and seems to be very popular with most of you. All right, Representative Bradley. Thank you, Madam Chair. Let me just – is the 72 hours still in the bill? Yes. Okay. For everyone. Okay. Just wanted to make sure before I asked that question. Who is holding that accountable? I mean, let's put some enforcement in there. Let's throw like a fine or something for the end of staff party. I don't know. I just – how are we enforcing that? Because, listen, I just had a bill die by the governor's office who came 30 minutes before my committee. Yeah. Yeah, not happy. It's not a happy face right here. So who is going to hold them accountable for the 72 hours, making sure that they change their position? Ms. Hayes. Thank you, Madam Chair. Representative, I think, sorry, Representative Bradley. The enforcement is done at the Secretary of State, and currently just folding this into how it works for us as professional lobbyists is it's a complaint system. So what happens is if you're frustrated, your example, the governor's office didn't register on your bill they're telling you they're opposed they're not registered you can file a complaint with the secretary of state and then they go through that complaint process we haven't discussed any the secretary of state can actually leverage fines in that capacity as well so we've seen that done with some colleagues that have had this unfortunate circumstance happen or maybe not so unfortunate Any other questions? Representative Espinoza. Thank you Madam Chair I just trying to and I haven really seen it in the bill but you talk about the bar to employment And I just trying to imagine some of our lobbyists who might be very well suited to leaving and moving into another department or within that department at the end of an administration or some other term. Is that prohibited under this bill? I would have concerns with that because I imagine the experience of lobbying would give them a great perspective to be able to then move into the department. and it's sort of different than us being barred coming the other direction to do the lobbying. So I wasn't clear from your testimony if someone would clarify that. Ms. Hayes. Thank you, Madam Chair, Representative Espinoza. So current law is only about you as covered officials leaving your role and after two years not being lobbyists because you could sway your colleagues a little bit easier. I wasn't there when that law came into place. the other portion of this bill that mandates that you as elected covered officials can't be liaisons is a discussion that happened between Senator Cutter and Senator Heinrichson in the Senate. They thought that there should be uniformity. If we're bringing this transparency for liaisons and the governor's staff and the judicial branch, then this policy should also be folded in because liaisons and the activity that we've seen from the governor's office is lobbying by the definition of lobbying in our statutes. And so we haven't touched the scenario that you're talking about from my understanding. Any further questions? Thank you all so much for your testimony. Last call. Anybody else that wants to provide testimony on this bill come forward? Seeing none, the testimony phase is now closed. Sponsors, do you have any amendments? Any amendments? No? Committee, any amendments? Seeing none, the amendment phase is now closed. We'll wrap up. Representative Froelich. Thank you, and thank you very much, committee. To answer a couple questions that have been floating around, Representative Wynne, we would be the first state to undertake this particular language. But we're also, we've just experienced a unique set of years in Colorado history where we've seen an unprecedented level of involvement from particularly the executive branch into the legislature. So as we said in our opening remarks, this is a chance to turn the page and to bring in new people who are going to abide by a more transparent set of rules. And I think it will usher in just a healthy and days of harmony between all branches. And we ask for a yes vote. Representative Johnson. Thank you, Madam Chair. And also piggyback on my good co-prime. This is apples to oranges. I've been looking at other states that have done this. Some states don't have compliance laws. A lobbyist can buy steak dinners every night for a member. There are states that don't require that you have different folks registering where they stand. So we're all unique in this that it's very hard to compare. It's very apples to oranges. But in our state, we very much see where what the first floor wants often is what the first floor gets. and it's very hard having been in bills on myself, where I'm trying to do open stakeholding. I've been on bills for two years. No correspondence whatsoever until day of committee. Drop it right on me in 15 minutes, and they're like, we hate this. I was like, well, I've been openly stakeholding this for a year or two years. So we're asking for that transparency just to make sure we have a leave it even playing field on the separation of branches and urge a yes vote. Representative Froelich? I apologize as well to Rep Espinosa question as well there no preclusion for moving into a department and taking a job post life It's that unique role of being the legislative liaison that we're asking for a two-year pause on. So you would have many roles in the department, just not that role, and just not for two years. Representative Froelich, do you want to move your bill? It'll go to appropriations. Oh, thank you. You're off. Sorry. I move Senate Bill 147 to the Committee on Appropriations with a favorable review. Second. Oh, no. I'll second this committee. Sorry about that, Rep. Johnson. We're going to give that one to Rep. Foray. We know. Okay. Any closing comments? Okay. Seeing none, Ms. King, please poll the committee. representatives bottoms yes Bradley yes Carter yes Espinosa yes Ray yes Rolick yes yes yes yes absolutely yes Adam chair yes your bill passes unanimously on a vote of 11 to 0 thank you very much all right part two of the Clifford show is about to commence. I don't know. I do agree that he needs some theme opening music. I'm skipping away from our poll a little bit. I know we just put this here, but I don't think it's working out. Like Law and Order or something. Ms. King, did you pass out the amendments first? Okay. Before we get started. You would like me to go ahead and begin? We were trying to finish singing your theme music. Fine. Senate Bill 90, the moment that we've all been waiting for. So with all due respect to everyone, I just got the amendments. Hallelujah. It has been a busy day for our drafter, I believe, and Ms. King is going to pass those out. We're going to address a few things as we get started. So first and foremost, I'm going to start by saying I have been an absolute yes vote and behind the scenes push for Reptitone's efforts on right to repair in this state. I have cheered her on in many of the endeavors. If I'm not mistaken, I was co-sponsor on most of the bills since I have been here. I've never been a no vote in this area. This is something that I think that is massively important, and I'm very, very, very proud that our state has gotten this right. Where I have a question, and this is the question that we're here to ponder today, is we did make carve-out adjustments. We did exclude certain things last year when we passed this that included things like security systems or the radios for our state radio system, for instance. There were some things that we recognized, like you probably don't want me giving the schematics to how we deal with certain alarm devices in my day job. In fact, we go to great lengths to make sure that no one can dismantle or can look at. I think I shared with the lobbyist earlier today. When I'm doing vault sensors in jewelry stores or something on safes, it's always two technicians, and one technician doesn't know what the other one has done. So when the paneling or when the inside pieces that cover all of the sensors up in a safe get covered, even the other ADT technician that's on site with us does not know how they were done. And that is for redundancy, for security, some things we recognize, and that business just need to be a secret. I think that there are additional items that are now covered by our right to repair that also we may still need to keep secret. Point blank. So this is a short bill. I could read it to you in less than a minute. I would, if I talk Mr. Schiebel style, probably not with me being Southern, it would probably take us a minute and a half. One of the things that I want to make sure that we're getting correct here is that what we're not trying to do is create loopholes. In the bill, we are going to make some changes to the existing, did we get the, do you guys have amendments in hand? Madam Chair, I'm going to go ahead and talk about those now as we go, even though we'll move them later. I just want you to understand that what we're trying to do here is to make sure that something that's used for a government purpose or critical infrastructure can get an exemption if we determine that that device actually is used in government service for critical infrastructure. The other piece that is very important about that is that we have the opportunity then to have a process by which that gets reviewed. So in this bill, when the amendments are adopted, it will say that the attorney general shall create rules for how organizations come to them and say, I have this particular security device. It's used in government purpose. It's used for critical infrastructure, and we need to keep it protected. This is the process by which we will go through getting the approval to do that. I looked at Rep. Luck when she said that because she really absolutely loves it when we give the executive branch the authority to adopt a rule and give away our legislative capacity then again to the executive branch. However, short of creating a year-round person that works for the General Assembly that does this, I don't have another way to do it. We need to use a regulatory body that normally does this work and let them do that thing. The other piece is I want to make sure that the reading of the bill is correct. So if we start, we are saying that this does not cover stuff you go buy for your house or even for your businesses. with respect to digital electronic equipment, everything that you see from line 13 on page 2 all the way to lines 12 on page 3 is what it doesn't cover. It saying none of the things that are currently covered by right to repair are in this bill And then we go in to say and it will say the Attorney General must adopt rules to review exemptions from this part 15 of information technology equipment that is to be used in critical infrastructure in reviewing an exemption that everything that you see below that part is what the attorney general has to review There's nothing in there that says something is approved. It says the attorney general is going to review to make sure that that equipment is used in a manner that it is for critical infrastructure, and we're adding an amendment to say that it must be related to government service, or whether the information and whether the information technology equipment is used for some other purpose. So if it's used for some other purpose, then they cannot approve it. What we're saying here is we are going to put very, very, very tight guardrails on what we're giving the attorney general so that the only thing that they're authorized to prove by law is something that they can identify is used in critical infrastructure, something that is protecting our government data, something that is protecting something like our traffic signals. We did have somebody that hacked into some of our traffic signals that are now all managed at one point in time and wreaked havoc. Last year, you may remember me speaking on a bill about a teenager who had kind of reversed engineered one of our state radios and gotten the encryption key out of it and had started programming equipment because he was able to get that information. It was quite a thing. We do know that there are people out there that are working around the clock to try to get into security systems. That is happening every day. You get a brand new iPhone. The race is on to see how quickly a hacker can jailbreak it. In my security business, we are required to have something that's called – we've got a security appliance made by a company you'll hear from today, Cisco. and we have a Cisco ASA that sits on my home network that gives me the ability to log into secure systems. I have to have this device that allows me to get into those systems. Just by having that device connected to my Internet at home, any of you that want to see our logs from our Stingbox, I have something that's called a honeypot. We've got a set of servers that also sits out there that just looks like it's got stuff on it so we can see who's trying to poke around in the network. But while I've got that there every single day, I bet I have 100 different events where because I have this security device sitting on my network, they are now trying to get into my network. Fortunately, they're just getting into garbage. But I rely on the security vendor to make sure that that piece of equipment stays up to date and secure so that they can't do that. The other thing is they're who I have to sue They're also who my insurance company requires maintains it. They don't let me go figure out how to secure this on my own. They want to make sure that that technology is secure. It's inappropriate, and I would be remiss to think that the company that makes that device is ever going to send you the schematics on how to take it all apart, put it back together, or make it less secure. It could ruin my business. One instance where somebody got into my security device and logged into someone else's security and shut something down, reprogrammed something, altered something, did something to a fire alarm, yada yada yada because they somehow got access into my own network would be absolutely unthinkable to me And I don get to manage that I have to let the professionals that deal with that day in and day out Now let me also explain it and I know that there a number of lobbyists that are coming to talk today For what it's worth, you should know I have been judicious in my engagements with lobbies. The Cisco folks that are here today, you should know I might have spent three minutes of FaceTime with them total. I am certainly trying to stay in the policy here and out of the lobbying. Most of you have been lobbied very heavily. Some of you, I know Reptitone, this is like her baby, and she thinks we're trying to kill it, and we are not trying to kill Reptitone's baby in any means. But I am wanting you to ask this question. The first question that I ask the committee to ask is, do you think that there are some things related to protecting government systems or people's information that exists on government servers? Do you think that some of that information should remain secret? And if you've answered that question, yes, then the next thing I need you to ask yourself is, well, how do we make an exception so that they don't? And the only thing that I can come up with legitimately is that we use a regulatory body called the Attorney General's Office to set rules on how we're going to exempt this, and we give them that authority to allow some exemptions to the law that we created. Now, I don't have a better way, and they're very good at it. And I'm going to tell you, I heard somebody today say, well, the attorney general could just get bought by the ex-lobby. And I'm like, have you met the attorneys in the attorney general's office? Those people are not at all taking their jobs lightly. And when you have multiple attorneys in the same department, to even make a comment like that to me is an absolute unthinkable thought. It's not like you might not have somebody at some point in time that doesn't do something correct. But it – like I hold every attorney general elected and all of their staff in Colorado to the highest standard, and I absolutely trust them with the ability to say, we know how to look and verify that you've got something that is both a piece that is being used in critical infrastructure, and we are looking to verify that that is how you're using it. And yes, we agree with you that that should remain secret. And that is what it's going to take in order for this to get done. There's no intent here to create loopholes. In fact, you'll see from the stack of amendments that we've just given you, they are very simple. You can go mark your bill up with the information that is in there. you'll see that what we've tried to do is make sure that we were crystal clear all the way through about what we were trying to do here. Second thing, there's one other piece, and I understand that there's some people that are opposed to this, but I have also just a quick Google search. There is a federal law for one of the amendments that is coming that is related to photocopier equipment, printer equipment, et cetera, where there's a federal law that they have to have basically a little device in all of the printers sold in the United States, no matter how big or small, that prevents counterfeit currency, creating counterfeit currency with the machines. I was able in just a few minutes to figure this out very quickly that that is federal law and that that is something And there is an amendment we will have today also that will have that specific piece that will make sure that that thing just reverts back to federal law We're not going to have them send you the schematics for it in the state of Colorado. One other thing that I think that you should note is why this is so important and why we're trying to deal with it now. I do think that this is of urgent consequence. I would not have taken on this bill. I do not want to be in this fight. I do not like this fight. I have not enjoyed it. But I do think that this is urgent. I don't think it can wait. I think that it's something that we must tend to. And the consequence here is we have companies where we have major industrial complex in this state that are declining to send certain pieces of equipment today that are designed to protect us. And they are like, we can't send that to Colorado. And they're not joking. they're not going to comply and give away the keys to their kingdom for the things that are securing billions of dollars of interest for their customers over the law that we passed. They're not going to comply. What they're going to do is just not have commerce on those items here. And I can tell you if this still included security systems, we would not have complied either. I'm not going to send you the schematics to the jewelry store. Like that's the whole nature of the business. The nature of these things is some of them need to be secrets. And that's where I am. So welcome to our prime sponsor. Thank you for letting me get started without you. I hope that I did the job that you expected. Welcome, Representative Hartzuck. Thank you, Madam Chair, and thank you to my sponsor. My apologies to the committee. I was voting over there in finance across the hallway and was dashing back and forth, so thank you. Having missed, here's what I'm going to start with. I get to make my famous statement, as you all know, 26 years in the Army. Of that, three years spent at the Pentagon on the Joint Staff and four years down at Northern Command on their Joint Staff was spent working on critical infrastructure. Part of my job was not only critical infrastructure for the military, but across the nation and working with states in what they deemed was their critical infrastructure. Contrary to what a lot of people think, critical infrastructure is not predominantly under government control. It is in the private sector. Imagine everything that's out there from telecommunications, infrastructure, roads, SCADA systems, water, sewer, all of that is deemed critical infrastructure. A lot of government agencies might have access to that and determine how it goes, but a lot of that is under private enterprise. The simple secrets that the government controls on the military side, State Department and all of that, that's a given. Everybody gets that. But the majority that's in the private sector, we in the government and on the military when I was on active duty would go to them and say, you've been identified. These are things that we see from the actors outside that are going to be a threat only to what you're trying to do but to the United States. And these are how they can access it. And one of the ones that was most interesting, and I literally flew out this way back to I saw on active duty, came up here to Denver. We were talking, we were meeting with some of the engineers on SCADA systems in the water and sewer. Picture any large city. If you have access, and those are basically closed systems. But if you could gain access to that, just picture what you could do if You switched all the valves on the sewer system, and instead of going to the processing plant, you sent it back to where it came from. The biohazards that you would create, the catastrophe that you would create, I mean literally, you know what, mess in the streets. It's all out there. That's the private sector that still has to fix that. That falls under their jurisdiction. Those systems should not be accessed, as I'm sure has been brought up. we're not against the right to repair, but those things have to be controlled systems. Those have to be, that is done with proprietary information, but it has to be controlled. It cannot be given out. And the reason it can't be given out, because if you can figure out how to fix something, you can figure out very easily, we've all heard reverse engineering, and I promise you that is what the adversaries of this country do. Once they gain how something is done, they reverse engineer to figure out how to get inside and turn it upside down. That's why we want to have the critical infrastructure exempted. It's plain and simple. If somebody can gain access and can get in there, then foreign entities, adverse actors, people that want to cause harm, whether it's to the state, to a business, to anybody else, can do that through reverse engineering, and it's not that hard to do. That was my career field of what I spent in. We're modeling this off specifically under the United States Code, which is under 42, and here's what it says. It says Critical Infrastructure Protection Act of 2001 refers to physical and information systems and assets that are essential to the functioning of the United States. And these include, and it goes down a list, telecommunications, energy, financial services, water, transportation. Most of those entities are in the private sector. They pertain to the function of the U.S. and to the states, in particular Colorado, but they are private entities. And that's what we want to make sure is exempted in this bill. That's the very simple point of what we're trying to get at, is saying these systems, the repair of these systems, have to be done in a controlled and very tightly managed manner. With that, I will ask for an aye vote. Thanks. And again, sorry for being late. It's okay. We'll let it slide this one time. Vice Chair Clifford. I just want to say another thing. The bill is short. There's not a lot here. There is no mass confusion. There is no this is very hard to figure out. There is no you can't possibly understand what you're doing. The words are on the paper. The amendments are here. We will go through them and make sure that they are what this committee needs them to be.
there isn't some booby prize at the end of this other than making sure that we put a pathway for things that are important for our security to be able to remain secure. There isn't anything else. This is an easy read and not a hard bill. I just want to leave it there. Thank you. Members, any questions for bill sponsors? Representative Wynn. Thank you, Madam Chair. Colorado is one of four states that has a right to repair law in place. And one concern I've seen time and time again is right to repair tools. And I guess one question I have to the sponsors is a concern is the repair tools themselves. I understand that these tools can be used by the military or by hobbyists who want to rebuild a computer or something or a locking mechanism how would these right repair tools be affected by this bill Vice Chair Clifford. If the tool is specifically related to something about a server or something that's because this is for IT infrastructure, I suppose you could call a tool like a piece of software or a dongle or something or maybe even something that they have not thought of yet that is to secure a network. We have some networks that they're so concerned about the encryption keys being reverse engineered that the way that the company works it is there's like literally a wall with lava lamps that is the most, and you can Google this, this is kind of fun, major security company uses lava lamps because it is so random, the lava moving around in the thing, and it turns on switches, and that's how the keys get managed because you can't – there's no way to make it more random than that. I don't know why anybody has to have lava lamps on a wall to keep the Chinese from getting into a network, but it's what they came up with that worked. How they do that, I believe they should be able to keep it a secret, even in Colorado. So I don't know what they may come up with in the future. I know that they're going to have to bounce on down to the AG's office, pay some, I'm certain, AG fee. I hadn't seen them do anything for free. And then convince the attorney general's team that that needs to remain a secret, and then they will get permission to do that. Follow up for Representative Wynn. Hey, Madam Chair. Follow-up question about the Attorney General's office. What would this process look like for, let's say, a military company or someone who has a military background like defense, and they want to basically deter some hobbyists for access to this technology or like a laptop? I think an example I've heard is this laptop was used by an ex-military unit, and now someone got off of eBay, and they're trying to protect the secrets. Vice Chair Clifford. Number one, a laptop that you could purchase retail, et cetera, is specifically exempt from this. So just because you've got a computer that could be used in critical infrastructure that you might be able to purchase it, it's got to be the specific units that they're talking about. I think when Cisco comes up here today, they're going to tell you the stuff that's using critical infrastructures. They charge car prices for the stuff I have at home. It's probably $10,000. What most of you have is probably not anywhere near that, right? I think that there is a big difference between some of these things. But we're not talking about, okay, well, we went out and purchased a laptop, and now because that laptop is used in critical infrastructure, all of those laptops, That's not at all what we're talking about here. It would have to be something that's specific for that use. Second to that, I don't know about purchasing stuff on eBay. I'm not sure how that works. If they purchased a piece that was used in critical infrastructure that wasn't properly decommissioned or something, I have no idea how to – I don't think they're going to the attorney general's office to get that piece blessed, if you will. But to your question about the process, as far as we are today, we're telling the attorney general that they shall adopt a rule. So they going to have to come up with what that process looks like and how that will work in their office to go through this And even to determine what the volume is We don know if it 300 items or if it 10 items We don't know what that is. The AG's office is going to have to figure that out once these things start to promulgate. Right now, we're just saying there's a problem. Are we willing to allow it to be fixed? Representative Bradley and then Carter and then Luck. Thank you, Madam Chair. Are your Senate sponsors good with all of these amendments? Vice Chair Clifford. I would imagine not. Representative Bradley. I was not expecting that. So you're thinking they will vote to not concur with these amendments? I think that the possibility of this being in a conference committee is very high. I had one more. Go ahead, Brett Bradley. Thank you. What is a boobie prize? It's the same question. I'm going to have to Google it. I've heard it all my life. Maybe it's a Southern thing. No idea? I'm Southern. Never heard it, but I'll look. Yeah, you could Google it. Actually, I am not going to Google boobies prize while I'm in the Capitol. I don't think the network will let us. We have a security device that will stop me from doing that. We're going to move on. We're going to move on. Representative Carter and then Luck and then Ricks. Go ahead, Carter. Thank you, Madam Chair. I had two questions because my district, while mainly is urban, the east side of my district is adjacent to Lincoln County, lots and lots of farmland. So I have, while I don't have a lot of farmland, I have a lot of tractors and tractor supplies. And my question was just working through the critical infrastructure definition and actually visiting some of those organizations on the east side of my district, how high level and just how high level these tractors have become. would those be affected by this? And just based on the fact that if you're out during that season, would you have the ability to repair your own tractor if something happened? Vice Chair Clifford. There's no intent in this bill that we are trying to undo tractors. I think that I would trust the attorney general's office to recognize that a piece of equipment that's in a tractor being used on a farm is not the piece of equipment that's protecting something for the traffic signals. Now, maybe there's some part that is, but I think that they would then have to disclose that we've got top secret stuff on the tractor. I just can't even envision going down that path, Representative. Representative Carter. Thank you, Madam Chair. Just to be clear, I mean the GPS, these things have become – they're not just tractors from back in my day. They have become these electronic high-level pieces of equipment, and I just wanted to understand if they were going to be a part of that. or is there a carve out Vice Chair Clifford They look a lot alike It happens all the time You would be shocked. I also have SCIFs in my district. And so that's why I was asking the questions, because I understand the need for a high level of right to repair because of the SCIFs that are – my district is right next to Buckley. I also have SCIFs, and so I understand that need to have a high-level individual repairing this as opposed to us just breaking them open and figuring out what's inside. I sure covered. Thank you. There wasn't a question, but I wanted to make a comment too, so that was good. Great. The other thing that I would mention is, especially in your SCIF situation, There is also a perceived future where even the state may want to have a third-party contractor that's not related to the original manufacturer maintaining something in the future. The thing that is a differentiator here is that we would know the devices that had been cleared for this, and you would know when you're purchasing that that the only way that you're going to be able to repair that piece of equipment ever. is by something different or by the one that you're agreeing that we're never going to let you repair it. We're only going to let our technicians do it, and we're giving the companies some rights to reserve that when they're used in these very limited circumstances. That would even be – Cisco doesn't want to give the keys to the state either. I would imagine – I keep using Cisco. So they're here. They're on my mind. So if I got any of that wrong, I'll fix it. But, you know, if I have something related to a security system, just because our client at the jewelry store purchased it, I don't ever tell them how to program it or how to get inside or give them the master codes or give them the ability to log into the back end of even their own security system. And to tell you the truth, if they decided that they didn't want to do business with our company anymore, in very many cases, it would require them to completely replace that security system. And they understand that going in. Like, we're never going to give you the keys to this kingdom, especially when our contract says you can sue us if somebody gets past it. I'm just not giving you the keys. I'm not giving you the keys to my house either. Like, that's why I have them, and that's what we're talking about here. Representative Locke. Thank you, Madam Chair, and thank you both for this bill and this important conversation. With respect to the AG, you feel confident and they feel confident that they have the expertise to make these determinations as to what falls in and out of the basket? Vice Chair Clifford. While I think they too would like not to touch this with a 10-foot pole, they have agreed that they can do this, yes. Okay. Representative Luck. Thank you, Madam Chair. Thank you for that. Okay, so I have some articles here related to the Secretary of War wanting to be able to have the right to repair placed in all Army contracts. This critical infrastructure piece, when I look at the definition, could It could apply to basically everything, right? Anything that could have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. So in some ways, this is so broad that it, in essence, guts the – without applying back the exceptions, right, that the AG would verify. Any company could say, you know what, we fall under that particular definition. But in listening to you guys, you don't see it that way. So I'd like a little bit more flush out as to why you think that it is narrow enough. I'd also like to understand if the government itself is saying, like the Secretary of War, we want to be able to have access to the information necessary so we can repair our own equipment, what would your response be to that? Representative Hartzok. Thank you, Madam Chair. Let's take the second question first. It's a little bit easier. So part of that comes down to, again, having been at the Pentagon and one of the other things I had to do there was serving, kind of oversight watching contracting. When you're deployed, sometimes you'll have contractor support, sometimes you don't. Yet the military is expected to use equipment at all times. There are certain things that we will have expertise in the military that's trained, communications, all kinds of stuff that can do a lot of work, fix a lot of things. Some of that stuff, they will need the proprietary information from the contractor that built the system. There are times, and I will tell you, I've seen there and watched it, where we're out in the middle of nowhere, and you know, we'll get up on a link and say, hey, we need XYZ, and the contractor on the other side will go, okay, do this, this, this, this, and this, this, and then we get in and we fix what it is. Those are the exceptions, not the rule. Those pertain to when you're in very adverse conditions, and generally contractors don't get paid hazardous pay to go out in the middle of places where they're getting shot at. So that's usually where it's going to come into play. Back to your first question, like when I read under the United States Code under Title 42, I'm comfortable that that's spelled out. There's history as to how this is defined, what it's fallen into, And I will tell you from personal experience of traveling, talking to multiple state national guards, executive branches of what fell under that category within those various states. Colorado just happened to be one of them at that time when I was on active duty. But Washington, Nevada, Louisiana, I mean, there's many places I went to. They would identify what that was based upon their needs in their state. So, yes, I'm comfortable that here the Attorney General is going to look at that compared to what's under the United States Code and go, yes, this fits. And then the other things that were brought up, tract repair, phones, things like that, that's outside of that purview. Vice Chair Clifford. Is that an answer? Thank you, Madam Chair. I'd also like to key in on a big word and an element that you said in there, contract. the military is saying we're putting this in the contract. We're working with the vendor to say what will be and what will not be repairable or not repairable. And that does give the vendor and the contract. The vendor can then say, no, we're not going to give you our secrets. We're not going to bid on this thing. It is sort of the same way on the other thing. It gives them then the opportunity to discuss and look at that What we done here is said just by virtue of this coming into our state you must now give away that information on request Which seems crazy, especially when we have patents and other protections and stuff for things that you've got to give somebody all the keys to how to fix something. I still agree with that because I've had a lot of things like it really upsets me that I can't use a particular ink in my printer. Or how does a printer cartridge expire when it's still got ink in it? Why does the chip tell it not to work anymore? Infuriating, right? What we're talking about here at this level are still contractually related, and we're giving the companies the opportunity to say, we're just not willing on this thing. Now, that is also going to leave them to the case where sometimes that means they're not willing to sell it. The juxtaposition that I have here is sometimes we need the stuff they're selling, and we also need them to keep it a secret. Representative Ricks. Thank you, Madam Chair. I'm struggling too with, based on what has been said by Red Luck and others, when you talked about the scenario, about the piece of equipment in your security business, there could be an argument that that equipment can be used for conventional purposes and, you know, that people should have the right to repair that. So how do you limit and how do you determine what is going to be used? I think you answered some of that with Red Wind's questions, but it's still unclear because anything could be considered that in critical infrastructure. So please explain how we look at that. Vice Chair Clifford. Here's the fun thing. The thing that I have at my house is covered by a right to repair law. So I can request the information, and I can repair it, and I can open it, and I can do all of those things, and nothing in this bill changes that. Unless that specific piece of equipment was used and identified for use specifically in critical infrastructure, this is something that I can go online and purchase. It is something that is completely covered by our right to repair law, and that does not change. Representative Ricks. Thank you. But the point is that it could be. It's a piece of equipment. It could be part of, like, whatever is being used in critical infrastructure, though. So then what? If it was to be identified as something that could be used in critical infrastructure. Vice Chair Clifford. Theoretically, I think that this is where the manufacturers will have to speak to how they plan to address that. I imagine that the box, the ASA device that we use, probably is used in some critical infrastructure someplace. Whether or not the software they give me and the SKU number or the model number or whatever that they're using for critical infrastructure, they may also have to make some adjustments, too, on what they're selling business to business, which is still covered by our right to repair, or whether they're sold retail, which is still covered by our right to repair. It's not that Lenovo can't make a server that you can buy that is still then completely covered by all the right to repair laws, but we are giving them permission to say, but that server in that particular configuration, we use that in critical infrastructure. And that piece of equipment you should not be able to take apart and do whatever you want to do with it And if for some reason you spent and bought one you understand that you buying it and we still not going to tell you how to do it And that is because that is identified as something that's used in critical infrastructure, and we're never going to give you the secrets. Representative Rex. Okay, so if you've already bought that equipment and this law goes into effect, you were able to fix it. Now it's going to cost you higher costs to fix it, maybe worse service. It just seems so broad. I mean, it's hard to just kind of drill down to specific pieces of equipment that may not be used for conventional purposes and for government infrastructure or for high security stuff. So I don't know. I'm still struggling. Thank you. Vice Chair Clifford. Thank you, Madam Chair. I'm not exactly sure what the – we are not talking about things we're going out and purchasing. This bill is not trying to address something that you're going online to buy. In fact, it's very clear in here that retail devices or business-to-business devices are completely excluded from the provisions of this bill. The attorney general may not even make one of those devices. In fact, in the bill, it says if you – I should probably actually find the bill. If you go in Section 11A, it says that the attorney general must adopt rules, and it's going to say must. And then it says that they have to review two things. They have to review whether this information technology equipment is used in a manner that would qualify as critical infrastructure. And then they also have to go see if this is also available business-to-business or retail. And if it's business-to-business or retail, they are not allowed to exempt it. So if they find that they can go purchase it on their own and it's not specifically critical infrastructure exempt, they can't do that to you. So if you've been out purchasing it, that would cause this to fail, that test. Are there any further questions? Okay, I'm not seeing any. We're going to move on to witness testimony. Do you all have a preference in terms of how we hear folks? We've got support, oppose, and amend. Let's just alternate. There's quite a few, right? Yeah. Okay. All right, good. We'll start with support, and we will just alternate. Okay. I think you'll probably only have one support panel, so we'll start there and then we'll do the rest. All right, so I will go ahead and call Matt Fusa, Christopher Brisey, Nathan Trail, Kate Riley. Yeah, we're going to do two minutes. Yes, two minutes. And then Brittany Morris Saunders, Dusty Brighton, Andrew Wood, and Jake Parker. All right, while folks get brought up online, who would like to begin? You guys want to flip a coin? All right. We'll have you go ahead and make sure your microphone's on and then the floor is yours for two minutes I sorry Over Yep there you go Yep There we go Thank you
Good afternoon, Chair and members of the committee. My name is Chris Brzee, and I'm Director of Government Affairs for the National Electrical Manufacturers Association, or NEMA. We represent more than 300 leading manufacturers of electrical products. We strongly support SB90, exempting information technology equipment intended for use in critical infrastructure from Colorado's Consumer Repair Bill of Rights Act. For many consumer products, the case for rights to repair is easy to understand. If a phone, tractor, household device breaks, people want fair access to the tools, parts, and information needed to fix it. But critical infrastructure is different. SB 90 will protect Colorado's most sensitive systems from the ever increasing cybersecurity threats as you heard from the sponsor. NEMA members design and manufacture equipment that is vital to our nation's electrical grid from generation to transmission and distribution equipment and a growing number of data centers with connections to our electric grid. It is of the utmost importance to safeguard these critical systems. When Colorado's right to repair laws were implemented, focusing on consumer products, addressing such critical infrastructure needs were not a focus of the conversation. SB 90 would create a narrow exemption to ensure that certain information technology equipment used in critical infrastructure is not treated the same as consumer devices under Colorado's repair law. This is not an argument against repair or against consumer rights. It is a recognition that fixing a smart phone is not the same as modifying the systems that keep our lights on. Modern infrastructure depends on networked equipment, digital monitoring industrial communication technologies and software enable controls all operating within tightly managed environments that must meet strict safety reliability and cybersecurity standards. Improper repair modification or authorized access could create risks far beyond a single device. NEMA supports SB 90 strongly and we thank the sponsors of this bill. We're happy to take any questions and work further with the committee on this legislation. Thank you.
Thank you very much. Please hold for questions. Welcome.
Thank you very much, Chairwoman. I appreciate it very much. Chair Wolford, Vice Chair Clifford and members of the committee, thank you very much for having me here today. My name is Matt Fusa. I'm the Vice President and Trust Officer for Cisco Systems. I lead a large and technical cybersecurity team that basically supports our customers in times of crisis. And we also do a lot of security testing on our products to show customers how they're built and how they can be trusted and secure. those designs and build networking equipment that powers a lot of the world's Internet. We are in many ways the critical infrastructure of critical infrastructure, and our products sit under almost every Internet-related transaction in the world. On a given day, we tend to see about 60 to 70 percent of all global Internet traffic. That is how embedded we are in these systems. Those systems are the target of significant efforts by nation-state attackers to compromise them because if you can get into the heart of the internet, you can do a lot of damage. That's the reality that the committee is legislating against today. And I want to be clear about something first, that Cisco supports the right of repair. We are not opposed to the idea of the right of repair for our customers. But there is a difference between the complexity of technology, and we strive to give customers and the people of Colorado access to reliable, dependable, and affordable repair options as a part of our process. And we go to great lengths and have built a significant infrastructure to make sure that can happen in any location and under any condition. But repair policy has to account for the fact that not all digital technology is the same. The representative earlier talked about his home router. The router used in your home is fundamentally different than the kind of router that we sell. I've provided some photos, but the kind of router we sell looks like this, and it resembles nothing like you have in your home. The majority of our products and all of our products are really targeted at a business-to-business context. They're incredibly complex, incredibly sophisticated, and they are not a one-size-fits-all. When one-size-fits-all approach is applied to this kind of equipment, it can unintentionally allow access to really sensitive information, source code, encryption keys, intellectual property, and that's at a time when nation-state attackers are specifically targeting these advices and you can read advisories from the FBI and CISA and other national security agencies describing those efforts. The amended bill addresses the risk in a structured exemption process, one that requires review by the Attorney General and limits eligibility to equipment sold under a business-to-business or a business-to-government arrangement, and is genuinely intended to exempt only those products used in critical infrastructure. We believe those distinctions matter. The bill does not seek to repeal Colorado's rate to repeal law. Instead, it simply recognizes the special character of those products in those environments and seeks to protect the very sensitive data from unwarranted disclosure in those spaces. I truly believe that this creates a significant security risk. I also believe that the complexity of the devices, which I'm happy to discuss, makes the idea of self-repair a very limited concept in the concept of a device that has 200 million lines of software code and over 10,000 subcomponents inside of it. It is incredibly unlikely that an individual will have the skill, the knowledge, and experience to repair that advice, and I'm happy to discuss that in some detail as part of this testimony today. These distinctions matter. Colorado has an opportunity to do two things at once, protect customers and consumers, and also create a safe space for critical infrastructure and the security of that infrastructure. The current bill is a responsible framework. Cisco supports it, and I respectfully ask the committee to advance this bill.
Sir, thank you so much. Your time has expired. Appreciate it. All right. Let's go online to Nathan Trail.
Sorry, is everyone able to hear me okay? Yep, we can hear you. The floor is yours for two minutes. Great, Madam Chair, members of the committee, thank you so much for having me here today. And I apologize for not being able to be there in person. I'm here today to support SB90. My name is Nathan Trill. I'm the Vice President of State Government Affairs for the Information Technology Industry Council, or ITI. ITI represents many of the world's leading technology companies, including companies that develop, manufacture, operate, and secure the digital systems that support critical infrastructure. SB 90 takes a narrow and sensible approach to addressing an important gap in Colorado's right to repair framework. The bill would exempt information technology equipment using critical infrastructure from the Consumer Repair Bill of Rights Act, helping to avoid unnecessary cybersecurity and operational risks for some of the most sensitive systems Colorado residents rely on every day. Critical infrastructure systems are different from ordinary consumer devices, equipment used in sectors like water energy communications transportation and financial services often operates in highly sensitive environments where security reliability and system integrity is essential. Requiring manufacturers to provide unaffiliated third parties with access to propriety tools, documentation, or software for these systems could create unnecessary vulnerabilities and expose critical operations to misuse or attack. Importantly, SB90 is appropriately tailored. It relies on existing federal definitions of critical infrastructure, which provides clarity and helps ensure that exemptions remain limited to systems where the security stakes are especially high. So to close, Senate Bill 90 strikes the right balance and preserves Colorado's broader right to repair framework while making a narrow and sensible adjustment for systems where cybersecurity reliability and public safety must remain and paramount. For those reasons, ITI supports Senate Bill 90, and we respectfully urge the
committee to advance this bill. Thank you so much for your time. Thank you so much. Let's go to
Jake Parker. Hi, Chair Wilford, members of the committee. I'm Jake Parker with the Security Industry Association, representing 1,700 companies, including 40 headquartered in Colorado, and provide security systems and technology used to protect all 16 critical infrastructure sectors. We support ASP90 because it brings need and clarity for these manufacturers to provide these solutions. A recurring problem in digital right to repair laws is an overly broad scope that extends far beyond fixing broken smartphones and computers to any electronics. And we're concerned that without specific provisions, it could extend to modern security systems for part of the IT infrastructure. It's a problem because it would allow anyone claiming to be a repair provider to obtain extensive information from manufacturers that could be misused by bad actors or to disable and subvert these systems or enable cyber attacks. These systems that protect critical infrastructure are not consumer products sold through retail channels. There's no involvement from an independent repair shops that could benefit from it. So it only introduces risk. Luckily, all states with digital right to repair laws have some provisions addressing security products, but they're not all the same, and they are not all clear, as the proponents have chosen to reliticate this issue in every state so far. This provides some additional clarity. Let me give you an example. Existing law excludes intrusion detection systems, but only if they are monitored by a third-party service. That might make sense for a home security system, like many of us have. The fact is most large facilities, and especially these types of facilities, have intrusion detection systems that are self-monitored by internal security teams. So the question is to whether they would meet that definition. So this could apply to things like nuclear power plants, electric generation, substations, and other types of critical infrastructure. So really there would be zero benefit for not providing this clarity. zero benefit to the public. So for that reason, we support SB90 and encourage you to.
Thank you so much for your time and your testimony. Next up, Kate Riley. Thank you, Chair, Vice Chair, members of the committee. My name is Katie Riley, and I represent the Consumer Technology Association. We go by the acronym CTA. CTA is North America's largest technology trade association, and our members of the company is complying with Colorado's right to repair law. We're here in support of SB 90. As you all are aware, right to repair laws exist in nine states in the U.S. That's actually an update from when this bill was heard on the Senate side. Kansas passed its legislation earlier this month. Of those nine states Colorado is the only state to include critical infrastructure technologies in the provisions of its law Enabling access to critical infrastructure leaves these systems vulnerable Others as part of this panel have touched on that What we asking for this exemption here is really to bring Colorado into alignment with those eight other state laws, recognizing the importance and criticality of critical infrastructure. These systems are the backbone of water, transportation, communication, et cetera, and they rely heavily on integrated IT. Given the interconnectedness of our critical infrastructure systems, the same rationale should be given to all critical infrastructure systems, similar to those exemptions that were provided in the original law itself. The provisions for consumer devices remain in Colorado's right to repair law. Nothing changes that in this proposal. This is really just recognizing what those eight other states have recognized and put into law. So CTA respectfully request your support on this legislation. Thank you. Thank you very much. Next up, Dusty Brighton. Hello. Thank you, Chair Wilford. Appreciate the opportunity to be here with you all today. On behalf of the Repair Done Right Coalition, we are in support of Senate Bill 90. This bill makes a very narrow but critical adjustment to Colorado's right to repair framework. This change is necessary in our view to avoid introducing cybersecurity and operational risks into systems that are specifically designed to protect the public, not only safety, economic stability. Critical infrastructure systems across sectors such as energy, water, communications, transportation, and financial services operate in highly sensitive environments where security and reliability are paramount. Requiring manufacturers to provide unaffiliated third parties with access to proprietary tools, software documentation for these systems could create unnecessary vulnerabilities and increase the risk of disruption or misuse. For these reasons and the others that this panel has identified, the RDR coalition supports Senate Bill 90 and respectfully urges its passage. Thank you. Thank you very much. And last on the panel, Andrew Wood. Madam Chair, members of the committee, thank you for the opportunity to testify in support of Senate Bill 90. My name is Andrew Wood, and I'm the Executive Director for TechNet Central Region. TechNet is the national bipartisan network of technology CEOs and senior executives that promotes the growth of the innovation economy. Colorado's Consumer Repair Bill of Rights Act was designed with consumer electronics in mind, things like laptops, smartphones, and household devices. But applying those same requirements to IT equipment embedded in critical infrastructure creates a meaningfully different risk profile. Under the existing framework, OEMs, original equipment manufacturers, could be required to provide potentially unaffiliated third parties with access to proprietary schematics, diagnostic tools, source code, and repair documentation for systems like energy grids, water treatment facilities, and financial networks. The security and resilience of these systems depends on repairs being performed by qualified and trusted parties, a standard that OEMs and authorized repair firms are best positioned to meet. Senate Bill 90 addresses this issue by anchoring the exemption in the established federal definition and provides clear legal boundaries without disrupting the broader right to repair framework. I'll note that I've heard discussed some amendments that are coming today. I can't speak to those because I haven't seen those amendments. However, it does sound like we might be layering on a fairly extensive attorney general process on top of those clear legal definitions from the federal standard that I don't believe any other state has taken up. But despite that, I still urge a yes vote on this and thank you for the time. Thank you very much members What questions do you have for this panel Representative Luck and then Foray Thank you Madam Chair I have a few questions to different people Is that all right with you Yep. Wonderful. So my first question is for Ms. Riley. Ms. Riley, you made mention that there are nine other states. In those other states, what solutions have they pursued? Do they have a structure like this where they're giving authority over to the AG to decide what constitutes critical infrastructure and what doesn't? Ms. Riley. Thank you, Chair and Representative. No, they do not. They're not establishing a structure like this. It is either a clear exemption for critical infrastructure or the law is very explicit in that it is applicable to only consumer devices or it explicitly states a small subset of devices. So there's no, given the amendment that was talked about earlier, there's no structure like that that exists in any other state law. Rep Luck? Thank you, Madam Chair. Thank you for that answer, Ms. Riley. My other question was for Mr. Parker, but he doesn't seem to be online anymore. So maybe, sir, from Cisco, Mr. Fusa? Yes, Representative Luck. Thank you. Thank you. I'm just wondering, right now Colorado requires this information to be made available because we haven't exempted. And so this has been in law for, I think, a year, if not two. I don't know. Sorry, there's a lot of laws that go on here. So forgive me for not knowing the specifics as to when this became effective and what have you. But I guess I'm just wondering, if you're already covered now, what is currently the situation? Are you giving over information? It's an excellent question. I am not aware that we have been asked to provide this information. I think there are instances where I think we would struggle to provide it. So we talked about tools earlier. Most of the tools that we use to build all this software and compile these parts are really third-party tools that we license and purchase in. And we get license rights that let us use them for our own purpose, but not license rights that would allow us to share those outside. So in a lot of places, I would expect to see those types of barriers. I mean, it's just better for us to let a small entrepreneurial company provide us with that capability than for us to build and mind it ourselves. I want to say, though, I'm not aware that we've received any requests. So I can't really sort of help you with evidence related to the current state on this topic. Representative Luck. Thank you, Madam Chair, and thank you for that. One last follow-up. Again, you may not have the information. I was looking for the gentleman who represents 40 Colorado companies, but maybe because you're in this space, you would know, are there Colorado companies who are looking to either depart Colorado because of this or not sell into Colorado because of this particular issue? Mr. Fusa. Yes, thank you, Representative. I am not aware of companies that are departing. I can speak for my own company. We would have to look at the kind of business that we do in the state. should these requests become common and this bill proceed or this bill fail with this exemption. We support our customers, okay? And we have large global customers that cover Colorado and many other places. It would certainly create a quandary for us that we would have to figure out how to navigate, and it might cause us to look at the portfolio and what we sell and what we don't. But I don't want to come in here today and tell this committee and this body that we would take any kind of drastic action, but for sure it would really require us to step back and look at what we sell here and how we do that. Representative Frey. Thank you, Madam Chair. Thank you all for your testimony. I've heard three to four times in this testimony that you said narrow exemption, and you referenced the federal – when I read the federal statute around what is the definition of critical infrastructure, it didn't actually say what it was. There isn't a list. It just seems pretty opaque of this could be interpreted as dangerous, threat to national security, but it doesn't actually outline. So when I keep hearing narrow, I'm curious how you're interpreting the federal statute to say it's narrow when there is no actual definition of examples of infrastructure. Is that from Mr. Fusa? I know a gentleman with 300 manufacturers. And then there's a guy in the tie. Those are at least the two that I remember. At least narrows it down up there. Mr. Trail. Um, wait, excuse me, what was the question? We didn't claim to represent 300 manufacturers. Sorry, what was the question? Do you want to repeat your question, Representative Furey? I'll take it to the 300 manufacturers. Maybe he'll answer. Thank you. Sure. I'm happy to pass on to anyone else who wants to answer as well. You know, I think we're saying it's narrow in the sense that really the target in what was discussed under the right to repair bill, when it was all the way to the point of passage in Colorado, was the focus on consumer products. Oftentimes, you know tractors and farm equipment are some of the discussion. So this is talking about taking equipment out of the the scope of this bill that are not really used in any of those contexts. So well, I'd have to get back to you on the exact federal statute and have someone who has more legal background than me give you an exact answer. It's something I'm happy to follow up on. Thank you. That is kind of why we're referring to it as narrow as it's looking really just the small subset of products versus the broader right to repair world that Colorado. I was looking to regulate. Thank you. Representative Wynn and then Bradley. Thank you, Madam Chair. I guess one question I want to ask is what abuses or cases of people have used, misused these technologies? I think I've heard and looked into trying to find cases, and I just can't find anything that seems relevant in Colorado. Do you have any examples of technologies or infrastructure-related devices that truly would classify as national security or affecting our water or even our nuclear – as someone mentioned nuclear power plants, but I don't think we even have nuclear power plants in Colorado? Who is that for? Anyone on the panel, sorry. Representative Wilford and Representative Wynne, I'd be happy to answer that question. In response, there are a few scenarios that are very specific. So the first is we see Chinese counterfeiters attempting to steal the design documents that are the type of information that we'd be required to disclose or are required to disclose under this law from our factories in order to create counterfeits. And they create counterfeits. These are fake products. They are not made by us. They are not authentic technology. They're pure copies. And they sell them around the world. And a lot of what you see on eBay and when you go on the Internet, those are fake devices because we do not sell through eBay. So when you go online and you look at devices and you see the variance in the price, a lot of what you're looking at is a counterfeit that was slipped into the stream of commerce by a Chinese counterfeiter. So that is one area where we definitely see this type of activity and the use of this information. The other is what I mentioned earlier which is Russian and Chinese attackers and Iranian attackers have shifted their focus of attack specifically to the kinds of devices that we sell because if you can compromise them you can go deep into a customer network or a government network or a critical infrastructure network and cause some significant disruption. So it's been a really focused point of attack. CISA, the U.S. Cybersecurity Agency, the FBI, the British NCSC, and other governments have all released very long public advisories about this attack pattern. It is very real, and it is happening right now. So those are two examples that I could cite. There are others, but thank you. Representative Bradley. Thank you, Madam Chair. We were just looking up critical infrastructure, and I would not say it's narrow. There is a lot that it encompasses. And then I was just looking. I've learned a lot about right to repair. Didn't realize I was going to educate myself so much. But when I look at the House Bill 24-11-21, it seems like a lot of you testifying are already exempt under Section E, industrial, utility, construction, compact construction, mining, forestry equipment, or road building digital equipment. Then it goes down, Section J, safety communications equipment, the intended use of which is for emergency response or prevention purposes by an emergency system organization such as police, fire, life safety, medical and emergency rescue services agency. So I guess if you're exempt, I'm kind of wondering, it seems like a little bit of fear-mongering. Who was that for? Anybody who wants to answer? Put up your hand so I can call on you, please. Man, no one ever. Okay. Any other questions for this panel? Go ahead. Repluck, you get the last one. Thank you, Madam Chair. This is a question for anybody to answer. I'm just wondering what specific security protocols exist in your companies right now, as you mentioned, to protect against the kind of breaches that are being threatened. And Mr. Fusa. Yes, Representative Wilford, thank you very much. Representative Luck, thank you for the question. Like most companies, and I think we're just an example, we deploy a heavy technology-led focus on securing our infrastructure and on the product. So for our infrastructure, we make sure that the products we use are secure. We actively monitor the periphery of our network so that if an attacker sort of like looks at us with scanning tools, they don't see things that they can exploit. That is one of the key sort of boundary level protections that we have. Inside the company, we segment all the data. So we have tons of customer data, as you could imagine, right? Every one of it is in a secure pocket that is individually protected from exposure to the other pockets, right? So we break that data into small piece parts. We encrypt that data, but we give our customers the encryption keys so that we can't read it and only they can read it. So we go to great lengths to sort of lock down the data and the infrastructure. And the products, we use and have a secure development process that's like embedded in engineering. So we give, our organization gives our engineering teams what's called a threat model, and it lets them know the kind of threats that they face. And then we help design the products in ways that can defeat those threats. As you can imagine, that is a daily, weekly, monthly series of changes. I think the threat environment is super dynamic. It is probably more dynamic now than it has ever been. And so we have a very what I would describe as a very vibrant development methodology that is constantly adapting to the threats that our customers face Our customers all use the same products They all protected in the same way right So we don just get this product gets one level of protection that gets another We deploy those same protective methodologies across everything we sell. So big and small, simple and complex, all the customers get the benefit of that kind of engineering into the product. All right. Thank you all so much for your time and testimony. we're going to move on to our next panel. Moving to an opposition panel, let's call Stacey Higgin Bentham, Michael Smith, Danny Katz, Billy Rios, Paul Roberts, and Jake Blow. Welcome. Who wants to start? Okay, go ahead, Mr. Katz. Two minutes. Great. Thank you very much for your time. My name is Danny Katz. I'm the executive director of Co-Perg. We're a statewide consumer watchdog. We are here opposed to this bill and ask you to vote no on it. We cannot sugarcoat that right now in the state of Colorado, there are cyber attacks that are happening every day. They're happening on digital infrastructure across the state. They're happening on schools, hospitals, military installations, law enforcement agencies. And if they are successful, that can be very scary and damaging to people here in Colorado. We need to protect our IT equipment. That is a number one priority here. What are the kinds of things? IT equipment is on the front lines. It's the thing that's being attacked right now. And so we need to make sure that it is fully operational, that it has the things that it needs to make sure that if it goes down, it doesn't stay down long. What are some of the tools that we need? Well, we need to replace a fan in a server. This is a piece of IT equipment right here. This is a server. We need to replace a fan. In order to replace a fan, I think that the in-house technicians who have, you know, the companies that have bought this, the law enforcement, the military, the hospitals, whoever it is, they've bought this. Their in-house technicians should be able to have the access to the tools so that they can repair a fan in a server and get that server up and running faster. They should also have the option to go to the manufacturer too if they'd like, but they should have access to those tools. It does not make us safer to restrict repair tools. What it does do is it allows major manufacturers to have a monopoly on repair. And not only does that not make us safer, but it will drive up costs as we know with monopolies. It leaves us with less options. And it also gives manufacturers the ability to stop providing help to infrastructure like servers that can be used over and over and over beyond that initial purchase. And this could have, you know, pretty damaging impact on used infrastructure and could have a big impact on just being able to get as much life out of what we want. Sorry, that's as much as I could get in two minutes. Thank you very much. Welcome, sir. Please introduce yourself and the floor is for two minutes. Yep. I am Billy Rios. I'm against this bill. I'm a vulnerability researcher, a pen tester. It's kind of a nice way to say a hacker. The government, U.S. government pays me and Fortune 100 companies, 1,000 companies pay me to break into their systems. I've got hands-on experience breaking into power plants and water plants, medical devices, cars, locomotives, airplanes things like that voting systems I run two cybersecurity companies One was acquired I still run one I worked at Google I was a tech lead there I worked at Microsoft I was a security program manager for Internet Explorer I sorry But I also know the product security side pretty well at the enterprise level. I was a commander for a cyber operations squadron in Washington State that was focused on critical infrastructure. So I know the government side really well as well as the corporate side. This bill, it's really broad. It's very, very broad. As you know, cybersecurity moves pretty quick, right? And so when you have an attack against critical infrastructure, that first frontline response has to be right on and has to be really fast, right? And when you think about all 16 sectors of critical infrastructure, which is how DHS defines it, which includes agriculture and food as well, they have to move really quickly, and the responsibility for securing their systems doesn't fall to the manufacturer. It falls to the owner-operator. the people that own and operate the equipment, not the manufacturer. And so whatever we do to slow down their response, we have to be very careful and deliberate about that, right? If we don't do this properly and we restrict access to tools, information that they might need to actually respond to an active cyber attack, that's going to be bad, right? In the worst case, we actually create a condition where we introduce a slow-moving dependency into a rapid decision tree that they have to go through, and they're dependent on the decision of a third party to help them get the information or get access to the system that they need. I'm sorry, your time has expired. Okay, thank you. Thank you very much. Welcome. Please introduce yourself and the floor is yours. Madam Chair, members of the committee, my name is Michael Smith. I'm the Colorado State Director for NFIB, the National Federation of Independent Business. NFIB represents approximately 6,000 small businesses across the state in all types of industries. I am here today in opposition to Senate Bill 90. NFIB advocates to protect our members' right to own, operate, and grow their small business without interference. The current right to repair law in Colorado supports the ability to do that. Our members backed the bill in 2024, which provides for the right to repair electronics with limited exceptions. In the marketplace, access, choice, and competition are important for a strong and vibrant economy, and the current law aligns with those market principles. Importantly, the law gives control of electronic devices and equipment to the people who purchase them. The right to repair results in increased access and options for small businesses to fix their electronics. This leads to lower costs and shorter repair times and shorter distances traveled for repairs. In rural communities throughout Colorado where options to repair electronics may be few and far between, right to repair is critical to provide options to promptly fix electronic devices with limited interruption to their livelihoods. The language in Senate Bill 90 is broad and lends itself to a potentially wide range of unspecified exemptions. If new exemptions are to be considered, I respectfully ask that they are specific and spelled out by lawmakers. Thank you for allowing me to testify and I urge your no vote on this bill. Thank you. Thank you very much. Let's go online. Jake, we're going to start with you. Thank you, Chairman Wilford for allowing me to testify. Jake Blau. And I just retired last Monday from a company doing independent repair, specifically in enterprise IT for 26 years. My issues with the bill, a lot revolve around intended. It is my experience in 26 years that the same router used at a water department or a power plant is the same one also used at Kohl's and Barnes and Nobles. It's the same servers. It's the same SKUs. They don't manufacture a different server, a different storage system for different uses. And so this is not narrow. It is very broad and would say that an elementary school server can't be repaired because it happens to be the same server that runs accounting at a power plant. So it's just not really in an equal language in that respect. And what's really interesting is that many manufacturers already release service tools. Dell PowerEdge, for example, they make a lot of servers. All of the repair literature is already out there. It can be used. And those servers are absolutely used in all of the critical infrastructure examples that have been shared today. But other manufacturers don't. And so it's interesting that there's all this concern about security, but many of these devices are already freely open, and there has not been any breaches, there has not been any problems caused by having the ability to have repair tools. So I urge this committee to vote no on this. The language is very broad and would be harmful to businesses and to security. Thank you. Thank you very much. Next up, Paul Roberts. Thank you, Chair Wilford, members of the committee. I'm Paul Roberts. I'm the founder of Secure Repairs. We're a group of more than 400 cybersecurity and IT professionals who support a legal right to repair. And I'm speaking to you today, obviously, to vote in opposition to SB 2690. To be clear, we at Secure Repairs share your concerns about growing cyber threats, critical infrastructure. And obviously, as we've heard, attacks linked to China, Russia, Iran, North Korea are real and ongoing. This bill does not address those risks. Limiting access to repair information has no demonstrated connection to preventing cyber attack. And it may, as Billy and others have said, make IT systems less secure and more vulnerable to those attacks. And that's because there's no evidence, as Jake was just saying, that access to repair materials has contributed to attacks on critical infrastructure. CISA in April found issued a warning about Iranian attacks on critical infrastructure. And they found that the breaches that are occurring are due to exposed Internet-facing devices that are running software that has unpatched and exploitable vulnerabilities. Or manufacturers are selling and their customers are deploying poorly configured products that, for example, have a default administrator, username and password that gets reused or don't support like multi-factor authentication. So will SB2690 address those risks? No. What it will do, as you've heard, is encourage manufacturers repair monopolies, allowing them to lock down access to the tools, information, and replacement parts needed to diagnose and repair equipment. That going to delay maintenance increase the cost of repairs and reduce service quality for Colorado businesses As it written Colorado right to repair law supports timely maintenance competition and resilience Weakening it will have the opposite effect, and that's why we at Secure Repairs are urging you to reject SB 2690 and preserve policies that promote faster repairs and better security outcomes. Thank you so much for your time and your testimony. Members, what questions do you have for this panel? Representative Bradley. Thank you, Madam Chair. I was trying to write as fast as possible. So, Billy? Yes. I didn't get your last name. Mr. Rios. Rios. Can you – you brought up a really good point. If we're waiting on manufacturers who might be inundated with different things going on and then you're under a cybersecurity attack and you can't – that manufacturer can't get you up and going quickly, could you walk me through, since you have experience hacking, what would happen with a power plant going down that needs to go through a manufacturer versus not going through as far as like a time frame like like walk me through option a versus option b mr rios yeah thanks that's a good question um i have been actually part of a cyber defense team that did defensive active defensive critical infrastructure and i can tell you right now it is really fast-paced. Literally every second matters. When you know that there's an attacker in your organization, in your network that's attacking your devices, you have to know what you're doing, and you have to be able to make changes to your environment very quickly to stop the attacker from what we call escalating to other systems. Normally, that is an authority that's granted to the security teams that are defending whatever organization that they're signed to. And so for a power plant, if a security team member in a power plant knew that they were being attacked by a nation state actor and the nation state actor was active inside their network, they would be changing the configuration of their systems and their devices in real time based on what they see the attacker doing, right? There is no time to try to get a description of what the attacker is doing, send an email to someone and ask them what they should do to change their system or device to defend against that. It doesn't work that way. It's very stressful. It's very real-time. The experienced folks on the security team are usually ones making the call. In a power plant, they'll be working with regular OT engineers who are not security people, by the way, on what the potential result for a particular change could be and whether it's worth doing that. There's a lot going on there. And if we start to introduce more and more legs to this decision-making tree, you know, there's just no way the defender can win at that point, right? Representative Luck. Thank you, Madam Chair. And Ms. Rios, just a follow-up on that particular question. So there are, as we've heard today, 41 other states that don't – or 41 states that don't allow for access to this information. So in those states, when those kinds of attacks happen, what remedies exist for them? Is there a way forward or is this they are just out of luck or is it that they actually – yeah, you understand what I'm going to say. Yeah. Mr. Rios. That's a really good question as well. I think it's important to understand just a couple things up front about like how cybersecurity attacks actually work. like we heard a lot of like hey there a lot of cyber security attacks and i just want to explain like how they work the vast majority of attacks actually actually don involve a fan or repair at all The vast majority of attacks actually attack people So instead of targeting the fan in a SCADA system or a critical infrastructure system, that's usually not the first step of an attacker, both like a hacktivist who's in their basement and a nation-state actor. typically in most cases, the vast majority of cases, it's an attack against a person, like an IT engineer or a SCADA engineer, a water plant engineer, a database administrator, and they're targeting that person to try to get access to what it is they're trying to get access to. In those cases, you don't need help from anyone to do anything. You defend the network in the way that you defend your network, right? So the second most prevalent way is actually exploiting configuration and security engineering vulnerabilities. And so someone had mentioned this before, you know, someone picked a really bad password. That's a configuration vulnerability. Someone made a mistake in the coding that they wrote for our device. That's a security engineering vulnerability. You don't need access to manuals or anything like that to exploit that, right? And so those are the two most common ways that these systems are exploited. If you look at the well-known nation state news that you've seen, were like Volt Typhoon, which is Chinese actors exploiting critical infrastructure in the Pacific, Russian attacks against critical infrastructure in Ukraine. They targeted people, security engineering, and configuration issues first, right? And so the second piece here that we're talking about, repair, and people getting access to repair, doing like implantation type things, like that's a tiny, tiny segment of real attacks against anything, not just critical infrastructure, right? And we're talking like people, security engineering, and configuration is over 99.99999% of attacks you're going to see in the real world. So in those other cases where maybe it is an implant or something like that, the organization is free to work with the manufacturer and say, hey, is this chip really yours? Is this fan really yours? And maybe work with them that way. But in most cases, it doesn't even come to that. It's addressed in a different security way. All right. I know there are other questions. I don't often ask for him any questions, so I'm going to jump in just where we are on timing. I want to make sure I'm understanding this correctly. So when we talk about right to repair, we are specifically talking about physical infrastructure, right? So like the thing right here on the table with a fan, or are we talking about like software? Mr. Katz or Mr. Rios? Yeah, Mr. Rios can certainly answer after, but I did want to emphasize rights to repair. I mean, for so many years, all you had to do was buy a new part to something and plug it in, and the thing worked. The reason we have rights to repair laws is over the last 10 to 15 years, the more that you buy a part, you could get the right part. It totally works. You can plug it in. You can screw it in. It would totally work. But you need some firmware. You need something that allows that new part to communicate with what you put it in, whether it's a tractor or a wheelchair or anything. And I agree, this bill is just about IT equipment, so it's very clear about IT equipment, but it's very broad about the critical infrastructure definition. And so when I say firmware, firmware, think of it as like a language. So if you have a fan and you plug it into a server, that server is going to go, hey, are you a fan that can work with me? And that fan needs to be able to say yes. And you need some firmware a code a way for those two things to communicate And if you don have that that how a manufacturer can restrict your ability to repair and require you to go through them If the manufacturer is making that firmware in a way that you can take the fan, plug it in, get the firmware, and that firmware is designed in a way that it doesn't just say, yes, I'm a fan, and yes, you're the right thing, but that firmware can also suddenly get you in to steal all the social security numbers of the secret codes, it is a really poorly designed repair tool. And if repair tools are designed in that way, we should be buying our equipment from other companies. And so it is surprising to me in this conversation that there's this implicit worry that the repair tools, the firmware that's going to communicate between a fan and a server, that somehow those are being designed in a way that can be used for other things, that there's a much bigger problem there. And I think that's why so many security professionals are coming forward saying there aren't problems with repair. This is why CISA and others are saying, actually, it's a good idea to try to have third party or other repair options. It's a reason why the military is going for those repair tools, because those repair tools are not going to be used to hack their stuff. If it was, they wouldn't be trying to get it. They'd be buying different equipment. So anyways, just trying to connect the dots of like, what's different now? And that That firmware piece is really important, and I think the rights to repair law was mischaracterized earlier. It does not require you to provide source codes. It does not require you to provide design docs. It literally just says you've got to provide the repair tools that are being used, the repair tools. And that includes documents, documentation, schematics, firmware. But if you're giving over schematics of your whole thing and all you needed to provide was one thing, there's literally language in our law that says you can redact that stuff. So there's so many things that protect companies' ability to withhold those trade secrets. That's why big companies like Google supported this bill originally. So anyways, just wanted to help clarify that. That was very helpful. Did you want to add anything? Yeah, I do. It's a really good question. And I think we also have to remember that, you know, under the law, you know, organizations, you know, may be obligated to provide certain types of information or data related to repair. Attackers are not adhering to the law, right? So a nation state attacker is not going to say, well, there's a right to repair limitation here or anything like that, right? So a lot of times they have access to a lot of data that they need. Maybe they've previously breached an organization. They know a lot of internal data. We've seen that before, right? So that's something else to consider as well. Okay. Thank you. There are three questions. I've got one from Froelich, then Wynne, and then Espinoza will get the last question. Thank you very much. Thank you for the answer to those questions. It is getting closer. But Mr. Katz, I understand that, and so your position is in oppose or amend, and what is the status of there were some discussions of amendments floating around that we haven't seen yet. Are there amendments that would get you to a better place on the bill? Mr. Katz. Thank you for the question. At this point, we are opposed. There's no amendments that I've seen that would get us to neutral or support. Okay. Representative Wynne. Thank you, Madam Chair. One question I have is, you know, we've heard from the proponents of the bill about how this is a national security matter. And I think you kind of touched upon a little bit about the technology. And my concern is that... continue to ask this and I want to ask this again. The technologies that they have in mind are repair tools, right? Repair tools are critical for fixing your devices or making sure things work. How would, by our understanding of this bill, the Attorney General's Office is going to be monitoring what would be classified that. Can you give me an example of a repair tool that would classify as something that would be Am I infringing on national security? Mr. Katz. Yeah, so I think the way that I would follow it through the law would be, first and foremost, what's a repair tool? And that's clearly documented in the current law. I can pull it up, but it's like documentation, tools, parts, firmware. So it clearly says, what are those tools? then you come down and say, okay, if those tools are being used, that's when right to repair kicks in. So if a manufacturer isn't even providing those repair tools, if those aren't even being used in the marketplace, then you don't even get access to those. But once those are getting used in the marketplace, then if you bought a server, you should have, you have the right to get access to that at fair and reasonable cost. They don't have to give it to you for free either. So that's the current law. The way that I see this amendment working is that this would say, okay, the attorney general will create rules to determine, are there specific repair tools that an IT equipment manufacturer can withhold because there's some security problem? But the AG will be limited to if the IT equipment is used in critical infrastructure, which I think by that definition of critical infrastructure is the internet. So servers, routers, I think almost all equipment would fall under that category. So I think that falls under that category. And therefore most of it would be stuff that the attorney general will not be able to say, hey, you can't get access to this. And then there is the second, if the equipment is done through a business-to-business or business-to-government contract. I think most of this equipment is also used in that way. And so what Jake said earlier about the server that might be supporting a coffee shop could be the same server that's supporting something that anyone here might define as critical infrastructure, a power plant or whatnot. I think that would give, if I was an IT man, if I was a manufacturer, I would use that to say, listen, this server is being used in a power plant. So if it's also being used in a coffee shop, I'm not giving repair tools to any of those people. And again, I think that's a faulty premise because I don't think those repair tools are actually a security risk. There's no evidence of that. And so that's how I would see this falling. And that's why we're opposed to the bill as it's currently written. Right. I mean, if I might add also... Sure, get in there. This is Paul Roberts from Secure Repairs. Yeah. I mean, first of all, again, these tools are being distributed to hundreds or thousands of companies and employees for work as authorized repair providers, right? So any argument that we must protect and keep these things, you know, secure is not exhibited by the actions of the manufacturers. They're displaying them to potentially tens of thousands of people across the country. So if there's a risk in that, then clearly that risk already exists. The other thing I would say is, you know, in keeping with what Danny was saying was that providing access to the repair tools and information is not going to adversely affect the security of these devices And you know these are already being deployed They already being widely used. And so, yeah, I would urge you to oppose this bill. Thank you very much. And our last question to Robert Espinoza. Thank you, Madam Chair. Some of the question, some of the issue has been fleshed out a little bit in the previous discussion, but I guess I think the critical issue here is there's a sense of whether we're talking about hardware versus software and whether we're talking about right of repair versus cybersecurity. So there's four different, as I see it, four different issues at play, and my concern with all the testimony to date is each of you seem to be shifting from one to the other to make your points. And I guess for me, the question becomes, are there circumstances? And when you say firmware, I think about the annoying Epson printer I have at home, which is always telling me that there's a firmware update that I must upload to my printer in order to make my printer work. I don't see that as a repair tool. I see that as part of the contract I have with my Epson printer, that they will keep those security patches, because that's what I look at the firmware as being a security patch that a company who I've engaged in a contract with is providing to me. And that goes to the level of the cybersecurity issues that we're talking about in terms of the tools not being the hardware, because when I look at the bill, the original bill, it was mostly saying we want to be able to buy individually as consumers those plug-and-play pieces that are hardware, not the software. So the critical issue for me is why are we continually going back and forth between these four different definitional issues, and is there a way? And I guess then the secondarily part of that, then there's the question of critical infrastructure, because to me the bill that we're looking at today is limited by the parameters of critical infrastructure, not by the parameters of the hardware. So the fact that you say it's in a coffee shop and it's in a water plant, the issue is I don't want whatever the software or the software part to be accessible to somebody to be able to deploy a cyber attack against the water plant. that seems to me the boundaries of what we're looking at and my concern is how does fighting over the definition really get us there or how do we get to a place where we can protect because I do think there's differences in terms of those objects and locations that we need to protect that may not be protected under our bill if our bill is not consistent with the 41 other states that have passed this law Mr. Katz. I can take a crack at a couple things. The physical versus software, as I explained before, a lot of times you need both to repair something. So if you're going to repair a fan, you don't just need the physical fan, but you need the firmware that will allow the fan to talk to the server. So the reason we have passed these laws is mostly because a lot of people could find the fans. Like if you're entrepreneurial, you can usually find the physical tools. The tractor folks could find the piece that they needed for the tractor. But it was that firmware that was withheld. And so I don know if that helps bring together why we saying both software and mechanical pieces are important So that my attempt to answer the first question And the second question of critical infrastructure versus not critical infrastructure, I think we all agree there's a thing called critical infrastructure out there. And the place that I'm diverging from the proponents is I'm saying when it comes to repair, we should make sure that critical infrastructure has as many options as possible to repair their stuff as quickly as possible and right now the current colorado law would allow for whether you you know if you define critical infrastructure as a power plant or military installation colorado law would say that that entity if they have an it expert or in-house technician that they should be able to get access to the repair tools to do that repair themselves and not just have to go through the manufacturer, which they may choose to do, but they would have an option. And I think we should be giving as many options to these critical infrastructure. I think we shouldn't be doing the opposite, which is withholding these tools and critical infrastructure, hoping that those tools don't get into the hands of bad actors. They're going to get into the hands. So we might as well make sure that the people who need it the most have them. And I don't think they are used for nefarious purposes. So we're just holding back repair tools that could be used to just fix stuff and keep our infrastructure moving and working. And I saw, Jake, you had your hand up. Feel free to add in. Yeah, Danny covered most of it. But yeah, there's an intersection where this conversation about security versus hardware really does come down to the firmware portion. And you're right, this bill does not really talk about software, but there are people that muddy the waters by talking about the software layer of a hardware product, where this really speaks to the hardware portion of it. we should be able to replace the power supply. We should be able to reconfigure ports to be able to repair a device without having to violate a software layer that sits on top of it, which is common in large enterprise devices. So that firmware kind of ties both of those things together because firmware can be done because there's a found problem with the product, a defect in it that it would cause it to overheat or to disconnect. And so they will release a firmware patch that says you need to go to this level to support this device or to have a stability or a safety issue. But they also package security updates into those that they find that there's a vulnerability in a remote port that they need to also resolve. But the thing is, is they withhold all of those updates, even if they're not security related. If they're safety or data integrity related, they still withhold those from the owners under the guise of, well, this is a security function. Thank you. Go ahead. Can I address the cybersecurity piece? So I think there's, if you have a repair tool, the repair tool normally allows you to find out what's wrong with the device. And so you get some diagnostic information from the device using a repair tool. And that diagnostic information is actually very useful to a defender often, right, to find out, hey, what's going on with this device? Is something acting the way it should not be acting So obviously not having access to those diagnostics tools would make you have to find some other way to get that information But the second piece is actually the reason why I'm here, right? Because you're absolutely right. In most cases, the cybersecurity examples that are being given to you have nothing to do with what we're talking about for right to repair at all. The attacks that are launched by China against critical infrastructure, those are not right-to-repair issues. The attacks launched by Russia against Ukraine, that has nothing to do with right-to-repair, right? And so that's why I'm actually here, because I'm a cybersecurity person, and when I see that, I'm like, those two items are actually not related. So I'm glad that you picked that up. Last question, Representative Espinoza. I did pick that up, but I also picked up the opposite, which is why I believe the proponents are bringing forward this bill, which is that it is the firmware itself and the capacity for reverse engineering based on that firmware, which has exactly those defects and vulnerabilities in them that they're afraid to provide. So I think that's the other side of the equation, and that's what I'm trying to figure out how that meshes. If we're only talking about hardware, that's one thing. But if we're talking about that firmware, then that relationship also distinguishes the location of the coffee shop versus the water plant. Yeah, you're welcome to respond. I'm glad you brought that up as well because in my line of work, I actually do a lot of reverse engineering of firmware. And reverse engineering of systems software firmware is actually protected with a different law. And so that's not a right to repair item. All right. Thank you all so much for your time and testimony. All right, our next panel includes Henry Stiles, Tom Maloney, John Earhart, Alicia Sittle, and Dr. Elizabeth Chamberlain. And Ms. Gay Gordon-Byrne. All right, while we work on getting folks pulled up, you're welcome to begin. Introduce yourself and the floor is yours for two minutes. Thank you. My name is Henry Stiles. I'm with Environment Colorado. and I'm here on behalf of Environment Colorado. I'm here asking you to oppose SB26090. As a statewide environmental advocacy organization with thousands of members across the state, I believe that SB90 undermines critical progress on empowering repair to address the growing issue of electronic waste. The definitions used to exempt critical infrastructure, as many have already said here, are unreasonably broad, referring to devices that are intended for use in critical systems and not just devices that are themselves critical assets. It's hard to see how every single internet connected device would not be considered intended for use on the internet, which is itself a critical system. Targeting products sold business to business or business to government does little to limit the scope. This gives manufacturers the ability to limit reuse by limiting repair. They can simply tell a school or non-profit or small business that purchases used IT equipment, that equipment was intended for use in critical infrastructure and was intended to be sold via business or government contract and deny access to repair tools. This is going to create a huge pollution problem especially as we see the explosion of data centers if this equipment is not allowed to be repaired. I'd like to add just before working in environmental work, I've only been doing this for two years. I spent 30 years in the technology industry as a software engineer. I did work on critical security problems and complex systems. In my experience, if a device has a vulnerability, a bad actor will and can find it. They don't need an official manual or a manufacturer's tool to exploit a flaw. Gatekeeping these resources does not stop hackers. It only prevents legitimate owners, including our schools and hospitals, from repairing their own problems. Thank you so much. Your time has expired. Thank you. Welcome, sir. Please introduce yourself from the floor as yours for two minutes. Hi, my name is Tom Maloney. I work at Blue Star Recyclers. We're a nonprofit electronics recycler and refurbisher. Most of us there, myself included, are on the autism spectrum where I have other disabilities and various employment. And sort of, you know, a lot of what we get, we have to, at the moment, we have to recycle. We're trying to move into reuse. we're trying to get you know everything we're trying to use that pyramid you know the reduce reuse recycle we all learning we're trying to you know get um reuse going but some of these devices they're locked down you know we can't get the ways to re it's a waste to erase them or fix them so we have to send them out to get shredded which is like you know compared to not making a new And you can shred something and then make a new device out of it, but compared to just reusing something, it's a huge environmental difference. And also, like, a lot of this stuff that is now critical infrastructure, you know, in 10 years or whatever is going to be consumer-grade. and we'd like to make sure that, you know, that stuff, once it's reached its end of life, is able to be reused either, you know, the server, you know, doing the hard calculations at a government facility now could be running a nonprofit's AI in, you know, in a couple of years. We'd like the ability to be able to, you know, reuse those kind of things. yeah that's why we that's why that's why we I oppose the broadness of the current bill thank you so much welcome please introduce yourself in the floor is yours for two minutes hello committee my name is John Earhart I'm an electrical and software engineer having worked in the past on cell phones, automotive engine controllers, as well as now numerous software projects. My most recent previous position was as a contractor to the federal government, upgrading software to ensure the security and reliability of the main IRS website. This bill does nothing to further security of critical IT infrastructure. Security through security is not effective. Having a device physically in your hand allows one to reverse engineer much of a schematic. And even for those with limited skills, one could breach any system either given enough time or a sophisticated enough attack Some of the rhetoric given by those in support of this bill really concerned me using scare tactics that really aren even valid The current right to repair law doesn't require releasing source code or encryption keys. And the word key was often used again and again to try to scare this committee. What I'd also like to talk about is that I think several other people have talked about as well is that FedRAMP is a federal security requirement for infrastructure projects that runs on effectively the same hardware that is used on every other IT, data center, what have you. It's the same hardware. And I think the federal government would like to be able to repair its equipment, as does the others have given the example of the military as well. I'd also like to challenge the lobbyist for Cisco. Given the right documentation, I'm sure I could easily repair his servers. Thank you for your time. All right, let's go online. Next up, Alicia Seidel. Yeah, hi. Thank you. I am Alicia Seidel. I'm the Executive Director of the Open Source Hardware Association, a nonprofit based in Colorado. We represent businesses, academics, makerspaces, DIYers, and repair communities. There are several open hardware businesses right here in Colorado, more so than other states. All these communities depend on the right to repair to function. This bill is too broad. Critical infrastructure can be considered anything within the government, and private companies are providing the infrastructure. Private companies do not act in the best interest of the public. What will stop them from labeling everything as critical infrastructure? I'm also involved in schools and libraries here in Boulder. Servers just went down during CMAS testing, you probably heard. Districts often have a choice of who might repair their infrastructure, be it in-house, contracted third party, or the manufacturer. This bill would make it difficult to repair or improve their infrastructure and severely limit their options when something breaks and would cost more among Colorado's already strained budget. It is a false pretense to claim that repair tools are a security risk, and limiting those tools to the manufacturer's repairs is safer. Cybersecurity threats are an issue, but access to repair assists in fixing those risks. Reverse engineering is a term because people can always find a way to breach security. Obfuscation is not reliable security, as the other gentleman just said. The Internet runs on open source software as a method of security. In hardware reducing, including servers and infrastructures, open source security also means the ability to repair. I have been in the hardware sphere for over 15 years. Our community at times has been called upon by governments to fix things during natural disasters, including cleaning up waterways, protecting the public, finding the waterways, and from nuclear disaster fallout. When gas pumps were being compromised here in Colorado, the police department in Longmont came to our community to reverse engineer the hardware. They did not use their own or the Bluetooth company's IT staff. Thank you so much. Your time has expired. Thank you. Last up on this panel, Ms. Gay Gordon-Byrne. Are you able to unmute Okay So that was me unmuting Hello Madam Chairman members of the committee I sorry to be last but I happy that it over I'm sure everybody else is hungry and tired. So a couple of things. I am the Executive Director of the Repair Association, and I'm also one of the founders. I had a almost a full 50 year career selling, buying, selling and leasing IT equipment to corporate America. And I can tell you, I also was a authorized repair and authorized sales provider for IBM, HPE, Cisco and several other brands. So I have a little bit more at more experience than the average bear in this space. And you are not being the people that have come forward to try to protect their interest in blocking repair. They say they're in favor of SB 90. They are lying to you. And I don't know how to I don't know how to sugarcoat that. These companies do not like right to repair because anything that gets fixed keeps you out of the store. They can't sell more equipment if they if they continue to use the old stuff. So they have a very strong interest in keeping you from using old stuff. That is a big problem. There's a bunch of things that have been said that are just simply not true. The bill does not have any requirements, as was said, for source code. There's no requirements for encryption keys. There's no requirements that anybody buy anything from anybody other than that you should have the option as the owner to be able to repair your own equipment, which is where this bill goes seriously off the rails because the owner is not involved. How does the owner behave as an owner when they can't buy a repair? So I would say that's the number one problem is ownership. The number two problem is bullshit. And I'm sorry, I'm tired. My mouth is getting ahead of me. So I will, I'll stop now. It sounds like a technical term. Okay. Let's move on. Oh, I see. Dr. Elizabeth Chamberlain has joined us. Yeah. Hi. Thank you. I'm Elizabeth Chamberlain. I'm testifying on behalf of I Fix It and Opposition. I Fix It, if you don't know us, we're the repair website where people go when they want to fix something. We publish free repair manuals. We sell parts and tools, and we fight for repair rights. And in the last year, over 36,000 Coloradans used iFixit. And I want to echo a lot of other testifiers today. The same servers and switches are used in critical and non-critical settings. And the new retail and B2B limitation doesn't fix that. So, you know, you can picture a CU student trying to pull up research, a professor trying to get online before class. When there's downtime, it hits campus Wi-Fi, it hits the library. but because CU uses the same Cisco ACI data center switches that are in wastewater treatment plants, manufacturers could point to it and say exempt, which would mean withholding the tools and documentation that staff need to maintain their equipment. Not just schools. Longmont, city's IT department manages over 50 switches, routers, firewalls, more than 900 PCs. It's the basic machinery of local government, And this bill would let manufacturers block IT departments from getting the tools and information that they need to keep Colorado cities running. A repair manual is not a password. A diagnostic tool is not a cryptographic key. Right to repair doesn't require handing over secret credentials. The bill, even with amendments, is still too broad. Its security premise is wrong. It gives manufacturers another tool to monopolize repair Colorado led the world on right to repair Please reject this bill Thank you Thank you very much Members what questions do you have for this panel Representative Froelich. Thank you so much. Did you say blue? Blue Star Risk. Yeah. A wonderful place. Thank you. Thanks for all you do. Thank you. I just want to say thank you. Yeah. All right. Any other questions? I appreciate it. I'm sorry. Representative Espinoza. Thank you. I'm actually going to join Rep. Frolic because I believe Blue Star is in my district, so I want to give them a shout-out since they're someone I take my computers to when I'm done using them. Loving all the Blue Star love. That's great. Okay. Any other questions? Okay. I have a quick question. I'm just not entirely sure who it should be for. So I want to understand, it sounds like, help me walk through this scenario and forgive me, it's 6 o'clock and it's been a day, so we're going to go on a journey. But let's say, for example, I am a, like, I'm considered critical infrastructure, right? Like I have an organization that's like considered critical infrastructure. I need to repair something that I have that's IT related and I go back to the company and I say I need to be able to repair this and they say well we actually had that exempted so now you can't actually fix it yourself we have to come in and fix it ourselves. So is it safe to say that like the people who are entrusted with the critical infrastructure are basically being boxed out from being able to fix their own critical infrastructure with this bill? Go ahead. What I would say that has happened with farmers who are restricted from being able to repair their John Deere tractors until we're just about to have that stop happening across the country is that it would cost them a lot more to pay John Deere to do that repair. and that it might take a long time, and that tractor or that server would sit down and not working until John Deere would be able to send their technician to go and repair that. So it's really just furthering a monopoly on repair. Go ahead, sir. And we also know there's a lot of legacy systems out there, A lot of companies and even government uses, you know, they've got this old piece of machinery that, you know, I need this thing to work to make my whole assembly line work. But, you know, the way it is, if you can't, you know, the way it currently is, the manufacturer could send a firmware update that just like bricks it and says, hey, you need to, you know, this one's too old. Do you have to get a new one? So, you know, as opposed to being able to just like, hey, you know, being able to fix it up yourself and make sure, you know, put a new operating system on it or whatever. Sometimes if you try and do that, companies will send an update to it that turns it into an expensive piece of e-waste. Thank you so much for that. I saw hands from Alicia Seidel. Do you want to weigh in? Yeah, so I would say, like, as a government, you can already pick who fixes your IT devices. You can pick the manufacturer right now, or you can pick a third party, but you haven't always picked a third party. Sometimes you have picked people directly from our fix-it communities, our open hardware communities to come in and fix things for you. And so you're just taking away your own right to choose and to have options on who is fixing your equipment. And then I think Ms. Gordon-Byrne. Yep. Here I am again. Unmute. Unmute. Okay. We can hear you. Oh, excellent. I will also share something that's probably a little bit of a surprise to all of you, is that when you hire the OEM to do repair, they don't always do the work. In fact, most of the time they don't do the work. They subcontract to technicians that might have the right skills, might be in the right location, might be available when others are not available. And so most of what you think is happening directly with the OEM is actually happening through the independent repair channel. And that's where my members, all roughly 400 of them, 300,000 technicians, several multibillion dollar businesses, that's where they come from and they get the work. But they're not allowed to compete because of bills like this, which say, oh, no, it's too dangerous. Your cybersecurity will be at risk if you hire somebody other than the OEM. So there's a lot of deception going on. There's a lot of subcratic arrangements that are not included. The cybersecurity issue is really quite peculiar because under the U.S. Department of Homeland Security, there's requirements for procurement called the FAR and the DFAR. And they say that, yes, there is critical infrastructure, but none of the ordinary IT equipment, including communications equipment, is critical infrastructure. Because they know that they need every single piece and they need it to be repairable. I can't say, well, you can't touch this. So I would say we definitely have a definition problem because CISA is not the right is not the right organization to reflect what the federal government does. They were basically a research and an advisory capacity. They don't provide any rules. They don't have any regulations. They have no method of enforcement. It's just the wrong approach, even if you're going to go down that way, which we think is not helpful because the bills that have already passed, both here and elsewhere, already exempt all the stuff that people are worried about. There is no requirement for utilities to share their anything. They already own it. It's theirs. They can do whatever they want. We don't have to ask permission. Let me put this. Public Service Electric and Gas in New Jersey doesn't ask permission to fix a wire. They just go out and fix the wire. And this is the utility world, and we don't have to worry about protecting it. So I wish we had more time. I apologize. Thank you all so much for your time and your testimony. We're going to move on to the next panel. Next panel, Aaron Perzanowiski, Brianna Kerr-Atkinson, Matt Berninger, Andrew Brandt, Megan Eliezer, and Joshua Harrison. Thank you Mr Brandt do you want to get going while we continue to bring other peoples online Mr. Brandt, I'm going to invite you to come off mute and start your testimony. Thank you, Madam Chair. My name is Sandra Brandt. I'm the Executive Director of Electmore Hackers. But more to the point, I've worked as a cybersecurity practitioner for 19 years and in other aspects of cybersecurity since the mid-1990s. I urge a no vote on this wrong-to-repair bill. In my career, I've conducted multiple investigations into compromise of network edge devices, lower walls that the sponsors discussed today, by nation-state threat actors. I work in a space where the kind of breaches others have discussed are, in fact, happening on a daily basis right now, today, without regard of availability of repair manuals to the attackers who are not replacing fans or power supplies. So let me be brief. This bill will have no beneficial effect on protecting cybersecurity. The entire premise of this bill is based on faulty and counterfactual arguments and what appears to be deeply flawed understanding of cybersecurity. We who work in this industry have a GuideStar statement that applies here. Security through obscurity provides no security whatsoever. It's why we don't leave our door keys under the welcome mat. Well, what the sponsors seem to misunderstand is what they're proposing is to enshrine security through obscurity in law in the state of Colorado. That's not just bad law. That's bad cybersecurity. So what makes a critical infrastructure device is not what the device is, but how and where and the purpose for which it is used. And the reality is that the West's biggest adversary, China, already owns every model of every firewall on Earth and has thrown brigades of bodies at them to perform the reverse engineering that Cisco claims they want to prevent. That cat is out of the bag. This bill does not provide any cybersecurity protection to any Cisco firewall or any other device, so I urge you to vote no. Thank you. Thank you very much. Next up, Brianna Kerr-Atkinson. Good evening, Chair Wilford and members of the committee. My name is Brianna Kerr-Atkinson. I'm the vice chair of the Reciple Colorado Policy Committee. Today, I'm representing Recycle Colorado, a statewide nonprofit organization advancing circular economies and improving recycling across the state. Our members share a vision to transform Colorado into a national leader in waste recovery, reduction, and diversion. We're here today in opposition to Senate Bill 90. As part of our mission, we see reuse and repair as an integral part of the circular economy. This is why we support Colorado's right to repair laws, including those specifically for electronics. Our members include local governments, businesses, and nonprofits that collect and or process electronics for recycling and reuse. Extending the life of IT equipment saves valuable resources and reduces the waste that ends up in our landfills where it can cause environmental harm. As part of Recycle Colorado's mission, we want to support local businesses that offer electronic repair services, and we're concerned that Senate Bill 90 would unnecessarily exempt products that have nothing to do with national security but would still fall under the category of critical infrastructure. We are greatly concerned about the provisions in Senate Bill 90 that would exempt a broad category of electronics from right to repair We understand the concern to protect IT security and safety However many of these servers and routers are used by schools nonprofits and businesses that are not working in national security. Therefore, these entities should be allowed to get their equipment repaired by persons within their business or by local repair shops. The use of second-life electronics in this bill in classrooms and in nonprofits may no longer be affordable if this equipment has to be repaired or replaced by the original manufacturer. We believe that this broad definition of critical infrastructure would likely include electronic products that could easily be repaired without creating security issues. We respectfully urge the committee to vote no on Senate Bill 90. Thank you. Thank you very much. Before we allow the next person to move forward, I'm going to try and fill out this panel here. I want to call Matthew Clausen, Neil McBurnett, Susan Thieven. Ryan Call and Brian Loma. All right, let's keep going with Aaron Perzanowski, and I'm sure I slaughtered your name. Thank you so much to the chair and the committee. My name is Aaron Perzanowski. I'm a professor of law at the University of Michigan, and I've been writing about the right to repair and related issues for about 15 years now. As you've already heard from lots of other folks, we need to treat manufactured claims about security with deep skepticism. The repair activities that are protected under Colorado's current law do not create and do not exploit security vulnerabilities. You don't have to take my word for it. The Federal Trade Commission in its Nixing the Fix report, which was the result of years of study, considered and rejected these exact same cybersecurity objections. Even if you are persuaded by the security concerns, I would say respectfully this bill is riddled with ambiguous language that could create wildly overbroad restrictions on the right to repair. So putting aside the federal definition of critical infrastructure, which has already come up. The term information technology is not defined in this bill, and it would naturally sweep up everything from your laptop and your home printer to your TV and your Wi-Fi-enabled dishwasher. They are all computers, right? Now, on its face, the exemption is limited to equipment intended for use in critical infrastructure. But as I read the statute, and honestly, I'd love to be corrected if I'm wrong. It says that all information technology is presumptively exempt from the right to repair law until the attorney general determines otherwise. The statute as written simply does not say that consumer devices are excluded. It says the AG should consider a set of factors, but it doesn't dictate what conclusions the AG draws from looking at those factors. And just as troublingly, the bill creates really strong incentives for the AG to grant exemptions. Manufacturers get to appeal if their exemption is rejected, but consumers do not have an equivalent right to challenge these exemptions. So for those reasons, I'd urge you to reject the bill. Thank you very much. Let's go in person to Susan Thieven. Welcome. The floor is yours for two minutes. Thank you very much So my name is Susan Tevnin and I here today to speak to you on behalf of Xerox Corporation And we here today asking for an amendment via SB 90 to align Colorado existing right to repair law with federal law enforcement traceability requirements for print imaging devices The current law has a parts pairing provision in it, and print imaging devices are subject to U.S. code and mandates to provide law enforcement traceability for anti-counterfeiting and anti-terrorism. I want to be perfectly clear that we support right to repair, and our request for an amendment is not to remove us from the right to repair. It would keep us in the right to repair. We've been doing right to repair for 30 years. We provide all the information, the tools, whatever you need to fix your device. Our issue is with the compliance on the parts pairing. And so we're looking to align the Colorado statute with the federal requirements just as they relate to print imaging devices and only with respect to parts pairing, not with respect to right to repair. We support right to repair. We've also built a robust circular economy for our products. We take things back so we're not impacting landfills, et cetera. And we'd ask your support to make this technical correction to the existing law through SB90. Thank you very much. Next up, Brian Loma. Good afternoon, legislators. Sorry, I'm in my print shop. Ironic that Xerox was talking right beforehand. My name is Brian Loma. I am the Hazardous Materials and Waste Diversion advocate for green latinos colorado i am also a member of of recycle colorado i want to highlight the comments made earlier by blue star recyclers this uh right to repair with with these these type of equipment is an environmental justice issue the rare earth metals and some that are not so rare extracted from the earth, put into these infrastructure systems, need to be able to be reutilized when their initial use has, lifespan has exceeded. We see this in all kinds of things. There's a propulsion battery legislation that's going before the legislature this year that says that when a battery no longer serves the life of the vehicle that it's designed for, that it is repaired or rebuilt so that it can be used for alternate purposes. As many people have testified beforehand, whether it's schools or other forms of infrastructure, as the technology enhances, the equipment trickles down. And we want to make sure that we protect that. this uh amendments that are presented are still too overbroad to allow for these materials to stay out of the landfill we don't want to see them shredded either we want their beneficial uses first and foremost that's why colorado is a leader in right to repair keeping things out of the landfill and we encourage you to vote no on this bill thank you thank you very much next up Ryan Call. Thank you, chair and members of the committee. My name is Ryan Call and I'm representing EcoCycle, which is one of the oldest and largest nonprofit recycling organizations in the country. And this year we celebrate 50 years of recycling in Colorado. We operate the Center for Hard to Recycle Materials or CHARM in Boulder, where we accept electronics for recycling. We also host the Colorado Reuse Leaders Network, a group of local governments, businesses, and individuals looking to expand, reuse, and repair in Colorado. alongside our partners we are exploring ways to extend the useful lives of electronics to repair and reuse eco cycle is proud to have supported the original right to repair for electronics bill which helped made colorado a national leader in right to repair laws while all electronics should eventually be recycled to recover their valuable minerals and return them into the supply chain the reuse and repair of electronic devices are even more environmentally and economically beneficial options for many devices. Not only are there local business opportunities in repair and reuse, but through repair, some groups can distribute second-life electronics to classrooms and communities that may not otherwise be able to afford them. Additionally, manufacturing electronic devices is incredibly resource-intensive, and many electronics are designed to break so that companies can keep selling more and more devices. Exempting such a broad category of electronics from right to repair is a gift to multi-billion dollar brands that are not prioritizing Coloradans economic or environmental interests. We acknowledge the intent of the bill just to ensure IT security and safety. However, as you've heard today, the community of right to repair experts believes that this bill would create an overly broad exemption that could keep schools, local governments, nonprofits, and small businesses from being able to get their equipment repaired. ECOCYCLE stands with other right-to-repair advocates and respectfully opposes Senate Bill 26090. We believe this broad definition of critical infrastructure would likely include electronics that could easily be repaired without creating security issues. Thank you so much for your testimony. Thank you very much. Next up, we have Neil McBurnett. Thank you, Madam Chair. I'm Neil McBurnett, an independent security professional speaking in opposition. I appreciate the opportunity to testify, but I'm frustrated to be at a disadvantage and not know what the amendments are. They seem helpful, but without details, we can't comment effectively. For several decades, I've worked on open source security tools, hardware, and protocols. These are indeed some of the key systems that protect banking, national security, etc. All details of these systems are available to the public for not just repair, but even modification. These open source hardware and software systems have frequently replaced the old proprietary systems. Why? Because they aren't black boxes. It is precisely because the design is public that they are widely trusted. And of course, they don't require passwords to repair them. As I hear it, the premise of the proponents is that manufacturers of these systems for critical infrastructure know things that allow the systems to be hacked. That's bad design. As others have noted, it is a poorly designed repair tool that makes a system vulnerable, especially a system used in critical infrastructure. And as others have noted, that knowledge, those repair tools, those secrets are already themselves risk. that other state actors have probably already tried to compromise. I wouldn't want to buy such a product. If the amendments seem to make all this more palatable, I suggest you ask for details and examples of why a critical infrastructure provider would want to be beholden to the manufacturers. It makes no sense. Owners like me are asking for permission and schools. I love that. We're asking for permission to fix the stuff we bought. Surely the government wants to be able to fix the stuff it bought And we all want private companies that manage critical infrastructure to be able to fix the stuff it bought as soon as possible Thank you Thank you very much And lastly, Matthew Clausen. Thank you, Madam Chair and members of the committee. I appreciate the opportunity to appear before you this afternoon. My name is Matthew Clausen. I'm a resident of the state of Colorado, and I appear today in my personal capacity. I've been employed for the past 30 years as a professional in computer systems, networks, and information security for entities that manage critical infrastructure in communities across the state. I'm associated with multiple organizations and groups at the local, national, and global levels. I appear before the committee today in opposition of Senate Bill 90. First, I have to echo the many, many arguments in opposition made by my fellow panelists this afternoon, some of whom I know either directly or by reputation. In information security, events move fast. Attacks against equipment and software supply chains occur quickly, with critical exploits happening with little to no notice. It is important for a customer organization to be able to fix these exploits without being solely beholden to a supplier who may or may not be able to provide adequate support and knowledge. Organizations supporting critical infrastructure can't wait for a purchase order and or a development cycle to fix issues that are hurting Colorado consumers in the present moment. Likewise, there are many technologists and companies in Colorado that can provide this knowledge and support on a third-party basis. some of whom have already appeared before this committee. In my observation and experience, there is a sizable body of equipment and software supporting critical infrastructure that is not adequately supported by its manufacturer. In some cases, these manufacturers no longer exist. Much of this equipment is dual use, both usable in critical infrastructure and commercial purposes. I have much more to say, but unfortunately limited time. I make myself available to the committee for any questions they may have. Thank you for your time. Thank you so much for your time and testimony. Members, do you have any questions for this panel? Representative Luck. Thank you, Madam Chair. My question is for Mr. Perzanowski, the law professor. Is that right? Yeah, that's right. Thanks. I just wanted to dive in a little bit more to your understanding of how this would work if passed. My reading would say that information technology equipment intended to be used for critical infrastructure is no longer covered by right to repair unless a particular request for a particular piece of equipment goes before the AG. and under whatever rules they adopt, it is then exempted from the exemption to right to repair. Is that your reading of this? It is not. So if you look on and I'm looking at the public version of the bill, I don't have the amendments in front of me either. So maybe some of this is in the process of changing. But if we look at page three, starting at line 26, there is a presumption that the information technology equipment is exempt during the pendency of the attorney general's review. So at the very least, to me, that means in the event, one of these pieces of equipment is in front of the attorney general then during the period during which they making their determination this exemption is already in effect A related issue is frankly looking at the bill I don't understand how anything gets in front of the attorney general to begin with. There is no process outlined for requesting or proposing an exemption. This is on page three, starting at line 12, it says the attorney general may adopt rules to review exemptions. I think there are a lot of crucial pieces, both procedurally and substantively, that are just missing in this legislation. I do not know how you would implement a bill that is missing so many crucial components. Reploc. Thank you, Madam Chair, and thank you for that. So can I just go one at a time? It's your understanding that this, the act as currently stands, if this bill were to pass, would no longer include, as a general rule, critical infrastructure IT equipment. Aaron? That, I think, is the most natural reading of the language I have in front of me. Now, listening at the beginning of the hearing to the co-sponsor, that did not sound like the intention of the bill. But again, without the amendments, I'm having trouble kind of matching the description that we all heard with the reality of the legislative text. Last percent of luck. Thank you, Madam Chair. Last question. So I agree with you that the language on lines 18 through 25 on page three don't lead to a particular conclusion that the AG is supposed to make. They just simply say this has to be analyzed. And how that then applies to their determination as to whether there's an exemption or not would really be within their discretion. is is it your view that if this were to pass and that these these two things were to be included that those two things should then lead to the ag making a particular determination like if you were to amend it because this had to pass how would you amend it such that that the ag would be directed to make one conclusion over another? So I think this is in keeping, again, and I apologize for not keeping track of everyone's name, the co-sponsor who spoke earlier. I think the change you would want to make is to say if the equipment, so I'm looking here at number two on line 22, if the equipment is sold to consumers or sold in resale setting, then the AG should be instructed to reject the exemption. That I think is the way I would resolve that issue. Any additional questions? Seeing none, thank you all so much for your time and testimony. Is there anybody else with us today that wants to provide testimony? Okay, seeing none, the testimony phase is now closed. Bill sponsors, please join us, and we'll move on to amendments. Thank you Vice Chair Clifford where do you want to start Preferably from home, but I'm here now. Same. Hold on just one second. Well, we'll start with L-8, Madam Chair. I move L-8 to Senate Bill 90. Second. We don't have an 8, Representative. Oh, sorry. I am so sorry. Take it back. L-9. Okay. This is the Xerox amendment. Okay. So we've got Amendment L-9 seconded by Representative Carter. Tell us about the amendment. This is that you heard, and by the piece that is required by federal law that goes into printing equipment that keeps you from being able to counterfeit currency, this amendment says federal law prevails for this thing. We're not messing with that. Even Coperg said that they're neutral on this amendment. I recommend an aye vote. So any discussion, any questions? Seeing none, is there any objection to adopting the amendment? Hearing none, Amendment L9 is adopted. Vice Chair Clifford. I'm looking. Wait, does everybody have them? Yes, the amendments were circulated. This is very odd. I'm reading a text message. Just a moment. There are no further amendments. Okay. Members, any amendments? No? Okay. The amendment phase is now closed. Vice Chair Clifford, bill wrap-up. The question here is we know that other amendments are needed. It is clear that the amendments that we have here have not satisfied people to get us to the heart of what is needed. And I have taken copious notes, and we will certainly go back and listen to this, should we get out of this committee today to make sure that we get some of those right. One of the things that I just want to come back to here is I've heard a lot of conversations about broad language, but this is a short bill. And it's not problematic for me to go work and try to get language right. In fact, I have certainly worked on bills much more complicated than the one and a half pages of text here and still been able to thread that needle to make sure that we get to a place where what we're telling, the Attorney General of the state of Colorado, that what they have to do is only narrowly deal with these things and nothing else. And it is quite possible for us to get to that language so that we're not doing something that causes e-waste or causes other issues here. and I am committed to making sure that we get all of those things right. I'm certain that you guys are excited about this on the floor anyway. I'm going to talk a little bit about where I have some disagreements with some of the things that I have – Ed, again, you know, in the day job outside of here, we run a pretty large security company. We very recently just went through a very huge phenomenon with manufacturers from China where the federal government basically said no mas. They created something called NDAA compliancy. And they've gone all the way down to like a chip. like if a chip comes from that country and is in this manufacturer's cameras no more now that is because chips in the most unique way where the gentleman was talking about the firmware and the fan um shouldn't have the ability to communicate necessarily with the rest of the piece of equipment. We have found that that's not necessarily the case. We have found that sometimes when people are trying to sneak something in, that what they do is try to put it into place that is going to be least looked. And they figured out ways. I told you earlier, the security device, which by the way is still covered by right to repair on my own network, attracts tons of attempted attacks on my network. While we were sitting there, 5.03 p.m., I get an alert, and probably 200 different attempts while we were in this committee, I get a notification have happened while we were here. No, that has nothing to do with us being in this committee, but it's because I have that piece of equipment there. If I didn't have it, they wouldn't even be looking at my network. I don't know what's telling the world to look. It's broadcasting something. I also have a big issue with saying that the Internet itself is critical infrastructure and anything that touches the Internet. That is not at all what is being covered here. It's not at all the intention of this bill, but I think that I can come up with some language to make sure that that is not the case. We have the opportunity here to make sure that you do have a choice when you buy equipment. And I think that there are things that need exemptions. And I think all of us can agree that there are likely some things that need exemptions here. I also think the Attorney General's office can be given clear instructions about what does and what doesn't need exemptions. And I think that they will be quite judicious to make sure only the things that need exemptions get exemptions and that that is not going to become some sort of free for all where all of a sudden all consumer goods now are no longer covered by our very well championed and much appreciated right to repair law. I would never try to do something to what we have done so far and right to repair to reverse any aspect of it in any major way. And I recognize that when we were putting it together that we needed to exempt security systems. And I recognize when we were putting it together that we needed to exempt cell phones. And when I recognize certain aspects of communication devices, et cetera. And we exempted those things. And I also think today that there are still some things that we didn cover in those exemptions and I think that we need to have a pathway to allow a regulatory agency to be able to do that thing That is what they asked me to do in this bill That is all that I have been asked to do in this bill. Nobody has given me some other thing that I should be working on or maybe some, maybe if you can get them. There has been some, they asked me to be involved so that I could start to work on something. In many of the same conversations today while we heard you don't get schematics and firmware, et cetera, you also do get schematics and firmware. We're not trying to break right to repair. We're trying to say that if a company has something that they say we need to protect this and they go to the attorney general's office and they get the attorneys in the attorney general's office to agree with them that we should probably protect that thing. Take that one step further. you don't have to buy it then if it made that list. If you want to make sure you purchase something that is repairable, I would not recommend buying the critical infrastructure piece of equipment that has now been exempted from your repair where you know without a doubt you are not going to get a repair tool, you're not going to get firmware for the fan possibly, and the company that installs that thing for you says, we're going to be responsible for the maintenance on it until we're not. And I think that's both right and fair for companies that are developing this technology that don't necessarily want their stuff to get into the other hands. I assure you the company Hike Vision, who makes cameras, would love to turn the tides and be able to continue to sell their cameras in the U.S. market. And they can't. They can't fix it. They can't make them come from Taiwan now. They can't fix it. So we're talking about manufacturers that are developing something newly, sometimes on cutting edge technology. And I do think that we should give the ability to have a regulatory body that says, you know what? We recognize nothing other than we might not have covered all the important exceptions. And we've got companies that are telling us that our critical infrastructure is at risk. because of it. And I have been willing to make this a fully government interest. I have been willing to make sure that we get the language correct. And there is a big political will to just kill this bill. I don't think that that's what is needed here. I think it's very important or I would not have spent any time on it. Again, I want you to know I don't like this fight. I don't like fighting with the sponsor. I am very, very, very, very pro right to repair. And that is not changing. And I also recognize that we may need to address a way to make exceptions. And that's what we're doing here. Thank you. Representative Hartzuck.
Thanks, Madam Chairman. Thank you, everybody. We know it's getting late. Everyone's tired. It's late in the day. It's late in the session. I'd like to bring us kind of back to the center here. We've heard a lot of testimony this afternoon. One extreme to the other. There's nothing in this legislation or intent that's going after schools, the environment, right to repair. We're not trying to take anything away from anybody. 99 of the people that are operating out there are going to keep going on doing what they doing regardless of this bill This bill applies to that little sliver that are going to deal in that category Comments were made, well, it needs to be more prescriptive. In general, we don't like to write prescriptive legislation because it needs to be adapted as we go. The rules are going to look at that. Just 10 days ago, I think it was, we saw the splashdown of Artemis II. They had ULA and Lockheed. They teamed together. The same framing hammer that you use to build buildings out there is not what you use on a spacecraft. The technology, everything is changing. Artemis III is going to be different than Artemis II. As technology changes, we want that ability to go out there. If it's deemed it falls, the AG says, this falls into critical infrastructure, then so be it. But that's going to be a fraction of what the work is that's going out there. From a business perspective, we want businesses to have the latitude to do their job. But if they have something that is, as they deem, critically important and they're critical infrastructure and they talk to the AG, then they have to make that case. It's not just willy-nilly, I say this is critical infrastructure, therefore it is. That's not how it works. There's process and procedures to go through. We're not trying to make this complicated. We're trying to make it very simple, provide latitude for not only the AG but for the businesses so they can look at things. It's designed to be fluid. So as things change over time, technology changes, they can look at that. Right now, if you're a business and you're doing work here in Colorado and if something comes up and you're in conflict with federal law, you're going to be faced with an option. We've already passed so many laws that there were trouble here for businesses in this state. This bill is not trying to make things more complicated. It's trying to make things simplified by saying, if you have this sliver of a category of critical infrastructure, let that go to the AG. Let them decide. Let's see if you're there. The rest of it, keep doing business as you're doing. We're not trying to change any of that. With that, we would request an aye vote. Thank you.
Vice Chair Clifford, do you want to move your bill?
Yes, Madam Chair. I move Senate Bill 90 as amended to the Committee of the Whole with a favorable recommendation.
Second. All right, seconded by Representative Foray. Any closing remarks? We'll start on the end here. No? Closing remarks? Closing remarks? Closing remarks. Please, go. RepRix. I just want to thank the sponsors for bringing the bill I you know again in the beginning you talked about your scenario about your Saret home and as I said I was struggling then and in listening to the testimony it does not seem that you know the things that you're concerned about or what Cisco said was required. You don't have to give the inscription keys. You don't have to give schematics. You don't have to give SOSC code. You need to do firmware for whatever part that might be replaced. So it's limited information in pieces that are given. They talked about that 99 of the cybersecurity attacks are because of other issues not related to right to repair Jake from State Farm I just want to say that but he said the servers used in coals are the same servers that are used like in a water plant You know, so we're making it difficult for people to repair infrastructure if we start to look at equipment, because the broadness of the bill means that this computer or server that can be used in this network can also be used in something that's critical. How do you distinguish? It does not allow for businesses to react quickly enough to repair their systems because they have to go through the original manufacturer. Even the government wants to repair their equipment. so I don't believe that this bill meets what you're trying to do I'm going to be a no and I have no doubt that you took a lot of time to put into this bill but it doesn't look like it's necessary because already in the original right to repair bill the utilities and different things are already exempted so what are we really trying to do here are we protecting just one company or are we looking at really critical infrastructure? And I'm not convinced. Thank you. Closing comments? Rep Locke. Okay, Rep Wynn. Thank you, Madam Chair. I'm a yes for today. And the reason why, just for today, is because I recognize that there are serious concerns with the right repair activity groups. I recognize that there are still a lot of limitations that should be addressed. And I do also want to recognize that this is a national security issue. And I trust the attorney general's office with being able to decide what technologies do count as national security. This is not a yes for, you know, a lack of service. Because I think right now is that people want to have able to, you know, serve their constituents, not service. Sorry, let me rephrase. They want to make sure that they serve the public with technologies that you can repair, you can bring back. I fully am committed for that. But I'm yes for today, but I do want to see some more amendments and more stakeholding when we go into seconds on the floor. Representative Espinoza. Thank you, Madam Chair. Thank you, sponsors. I think we've heard today that there is some concerns with how this bill is structured at this point in time. I do believe there is an opportunity to more narrowly tailor what you're trying to get at in order to not address the concerns, I think, legitimately that have been raised in terms of its overreach and impact against the existing right to repair law. However, I do think in doing that, it's critical to evaluate the issues that we've heard. And I guess part of it goes to the basic definition in your bill or the basic premise of your bill, which says the bill exempts information technology equipment that is intended for use in critical infrastructure. I think that sets the issue the wrong way. I think the issue should be critical infrastructure that uses technology subject to attack needs to be protected. I mean, if we're creating exemptions, that's the better way to frame the issue, I believe, than what has been done in this bill so far. And I think that's a formula to begin to narrow the issue so that we can address the legitimate concern that may exist when we're talking about potential bad actors obtaining information in those critical infrastructures. areas. I do agree with what was said by Representative Ricks that the existing bill has substantial exemptions which may apply to this, and I would encourage you to talk to the people who pushed forward this proposal to say, how do we frame just a simple, narrow, additional exemption to that list rather than creating a whole process, necessarily, of attorney general review. Using my background in federal government, as Representative Hartzik, I also worked in the federal government. I did records management, privacy, and freedom of information and national security for the Executive Office for Immigration Review and the Department of Justice. As such, I dealt with some of those underlying structures and especially the national security structures that we were addressing in conjunction with the Department of Homeland Security. In the context of looking at those kinds of systems and structures, however, and their relationship to national security or critical infrastructure, we narrowly tailored how we were going to restrict the access because we had internal people working on those systems. And I think even Representative Hartzik, you said you were one of those individuals who could internally work on those systems. But I think what I heard is that, well, one of my concerns is that I think there's two different issues going on, and that is how hacking comes into play with the right to repair law that we have on the books today. and that there's a concern that the firmware or the – I don't know that people have trouble with the pieces themselves being plug-and-play. Maybe they do because I know in our – I drive a BMW and OEM versus plug-and-play are very difficult kind of intersections, and you get into that firmware kind of an issue, right? If you don't use the manufacturer's OEM products, sometimes those things don't communicate very well. All of that to say, I think we need to focus on just the critical issue, no pun intended, of what is the nature of the limited things we want to protect as an exemption. And if we focus on that, then we may not need an additional regulatory structure through the Attorney General's office. It may be a simple fix in terms of adding to the exemptions that currently exist or clarifying those points. and it may be the better way to get to where we want to get to. But if we do use the attorney general process, there is framework in the federal government to address the proprietary nature of some, both hardware and software, that would be subject to an evaluation. And we should look to those processes as well. All right. Thank you very much. With that, Ms. King, please. I don't think we closed amendment phase. Yes, we did. Oh. Thank you. I just had a question, but okay. Thank you. Okay, with that, Ms. King, please poll the committee. Representatives Bottoms. No. Bradley. No. Carter. Yes. Espinosa. Yes, for today. Gray. No. Rolick. No. Luck. No. Nguyen? Yes, for today. Ricks? No. Krolek? No. Clifford? Yes. Madam Chair? Respectfully, no. Senate Bill 90 fails on a vote of 7 to 4 Representative Froehlich, can you make a motion to postpone indefinitely? Thank you, Madam Chair. I move to postpone indefinitely as Senate Bill 90 on a reverse roll call. Seconded by Representative Froehlich. Is there any objection? Seeing none, Senate Bill 90 is postponed indefinitely by reverse roll call. Thank you all. We will not be meeting on Thursday, but stay tuned for any future meetings potentially next week. With that, the State Affairs Committee is adjourned. Thank you. Thank you. Thank you Thank you. Thank you. Thank you Thank you. Thank you. . Thank you. Thank you. Thank you. Thank you. Thank you Thank you. Thank you. Thank you Thank you. Thank you. . Thank you. Thank you. Thank you Thank you. Thank you. Thank you Thank you. Thank you. Thank you Thank you. Thank you. . . Thank you. Thank you. Thank you Thank you. Thank you. Thank you Thank you. Thank you. Thank you. Thank you. . Thank you. Thank you. Thank you Thank you. Thank you. Thank you Thank you. Thank you. Thank you Thank you. Thank you. . Thank you. Thank you. Thank you Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. . Thank you. Thank you. Thank you. Thank you. Thank you Thank you. Thank you. Thank you Thank you. Thank you. . . Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. . . Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. . . Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you Thank you. Thank you. . . Thank you. Thank you. Thank you. Thank you. Thank you Thank you. Thank you. Thank you. Thank you. . . Thank you. Thank you. Thank you. Thank you. Thank you Thank you. Thank you. Thank you Thank you. Thank you. . Thank you. Thank you. Thank you. Thank you. Thank you Thank you. Thank you. Thank you. Thank you. . Thank you.