The Daily Sentinel reports:
A Cedaredge-based mobile home management company has been fined $25,000 for failing to secure its customers data.
The Colorado Attorney General’s Office announced the fine and an agreement for Impact MHC to implement new data security measures after a 2018 data breach.
According to a news release, the breach exposed sensitive information belonging to 15,000 people, including 719 Coloradans.
Read more on The Daily Sentinel.
The following is the state’s press release:
Colorado mobile home company to pay $25,000, implement new safety measures after data of more than 700 Coloradans exposed
June 14, 2021—Attorney General Phil Weiser today announced that Colorado-based mobile home park management company Impact MHC will pay $25,000 and implement new safety measures after more than 15,000 people’s sensitive information was exposed in a data breach, including 719 Coloradans.
Impact MHC failed to properly safeguard sensitive information and allowed employees to send and maintain that information in their email accounts. In October 2018, criminals used a phishing scam to access Impact MHC’s employee email accounts that contained confidential personal information of Impact’s customers and employees, including Social Security numbers and financial details. The criminals had access to the accounts until July 2019.
After discovering the data breach, Impact took 10 months to provide notice to Colorado consumers, even though Colorado law generally requires notice of a data breach no later than 30 days after the breach occurs.
“Now more than ever companies must remain vigilant in the digital world,” said Weiser. “A data breach like the one at Impact MHC can put important consumer financial and personal information in the hands of the wrong people and cause significant harm to Coloradans and their families, as we have seen recently with regard to the unemployment insurance fraud that has led to over one million fraudulent claims. We will continue to hold companies accountable for safeguarding residents’ data.”
In today’s settlement, the company agreed to pay $25,000 to the Colorado Attorney General’s Office, and an additional $30,000 if it fails to implement other measures, like creating a written information disposal policy, a comprehensive cybersecurity program, and an incident response plan in the event of future data security incidents.
As cybercrime and identity theft pose an increasing threat to Coloradans, state law requires companies that maintain sensitive personal information to take reasonable steps to protect the information, dispose of it when it is no longer needed, and notify Colorado residents promptly when their information is at risk of being misused by unauthorized third parties.
Click here to learn more about companies’ responsibilities in the event of a data breach.