Colorado: AG fines Impact MHC $25,000 following data breach
The Colorado Attorney General ('AG'), Phil Weiser, announced, on 14 June 2021, that he had fined Impact Mobile Home Communities, Inc. $25,000 and ordered them to implement new safety measures after more than 15,000 people's sensitive information was exposed in a data breach, which included 719 Coloradans. In particular, the AG noted that Impact MHC failed to properly safeguard sensitive information and allowed employees to send and maintain that information in their email accounts. In addition, the AG outlined that in October 2018, criminals used a phishing scam to access Impact MHC's employee email accounts (and has access to the accounts until July 2019) that contained confidential personal information of Impact MHC's customers and employees, including social security numbers and financial details.
Moreover, the AG outlined that Impact MHC was in violation of the following:
- failure to comply with Colorado's Data Disposal Statute under § 6-1-713 of the Colorado Revised Statutes ('C.R.S.');
- failure to comply with Colorado's Data Protection Statute under § 6-1-713.5 of the C.R.S.; and
- failure to comply with Colorado's Security Breach Statute in two ways under § 6-1-716(2) of the C.R.S. by failing to conduct a prompt, good faith investigation, and by failing to timely notify impacted Colorado residents.
Furthermore, the AG highlighted that after discovering the data breach, Impact MHC took ten months to provide notice to Colorado consumers, even though Colorado law generally requires notice of a data breach no later than 30 days after it occurs. Lastly, in the settlement, Impact MHC agreed to pay $25,000 to the AG's Office, and an additional $30,000 if it fails to implement other measures, such as creating a written information disposal policy, a comprehensive cybersecurity program, and an incident response plan in the event of future data security incidents.