Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colorado: AG fines Impact MHC $25,000 following data breach

The Colorado Attorney General ('AG'), Phil Weiser, announced, on 14 June 2021, that he had fined Impact Mobile Home Communities, Inc. $25,000 and ordered them to implement new safety measures after more than 15,000 people's sensitive information was exposed in a data breach, which included 719 Coloradans. In particular, the AG noted that Impact MHC failed to properly safeguard sensitive information and allowed employees to send and maintain that information in their email accounts. In addition, the AG outlined that in October 2018, criminals used a phishing scam to access Impact MHC's employee email accounts (and has access to the accounts until July 2019) that contained confidential personal information of Impact MHC's customers and employees, including social security numbers and financial details. 

Moreover, the AG outlined that Impact MHC was in violation of the following:

  • failure to comply with Colorado's Data Disposal Statute under § 6-1-713 of the Colorado Revised Statutes ('C.R.S.');
  • failure to comply with Colorado's Data Protection Statute under § 6-1-713.5 of the C.R.S.; and
  • failure to comply with Colorado's Security Breach Statute in two ways under § 6-1-716(2) of the C.R.S. by failing to conduct a prompt, good faith investigation, and by failing to timely notify impacted Colorado residents.  

Furthermore, the AG highlighted that after discovering the data breach, Impact MHC took ten months to provide notice to Colorado consumers, even though Colorado law generally requires notice of a data breach no later than 30 days after it occurs. Lastly, in the settlement, Impact MHC agreed to pay $25,000 to the AG's Office, and an additional $30,000 if it fails to implement other measures, such as creating a written information disposal policy, a comprehensive cybersecurity program, and an incident response plan in the event of future data security incidents.

You can read the press release here and the settlement here.