Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colorado: AG fines SEMA $63,000 following data breach

The Colorado Attorney General ('AG'), Phil Weiser, announced, on 8 November 2021, that as part of a settlement, SEMA Construction, Inc. will update its data security practices and pay more than $63,000 after it failed to protect the personal information of nearly 2,000 Colorado employees and residents. In particular, the AG noted that SEMA is alleged to have violated Colorado data security laws including §§6-1-713, 6-1-713.5, 6-1-716 of Part 1 of Article 1 of Title 6 of the Colorado Revised Statutes, when it failed to maintain reasonable security practices and notify Colorado residents of a 2018 data breach in a timely manner. In addition, the AG highlighted that when SEMA was the target of a phishing attack in October 2018, the company did not have a data disposal policy. Moreover, the AG outlined that SEMA employees had stored personal information, such as social security numbers, bank account or routing numbers, and driver's license numbers, in their employee email accounts for as long as 20 years. Additionally, SEMA is alleged to have failed to account for this risky practice and did not take a comprehensive approach to information security, as it should have, given its size and the nature of the information it maintained.

Moreover, the AG noted that when SEMA discovered the phishing attack impacted employee's email accounts nearly a year later, the company was unprepared to notify impacted Coloradans of the breach. Furthermore, the AG noted that although the company learned of the breach in 2019, SEMA did not notify some employees of the breach until 1 October 2020, whereas other employees were not notified until 30 December 2020, over two years after the company discovered the phishing attack.

Furhermore, the AG highlighted that as part of the settlement, SEMA agreed to update its security practices by maintaining an incident response plan, an information security plan, and an information disposal policy. Lastly, the AG noted that SEMA will also submit reports to the Colorado Department of Law to ensure it complies with Colorado law to protect the personal information of its clients and employees in the future.

You can read the press release here and the settlement here.