A Cedaredge-based mobile home management company has been fined $25,000 for failing to secure its customers data.
The Colorado Attorney General’s Office announced the fine and an agreement for Impact MHC to implement new data security measures after a 2018 data breach.
According to a news release, the breach exposed sensitive information belonging to 15,000 people, including 719 Coloradans.
Impact MHC manages mobile housing properties across Colorado, including in Mesa County.
The breach came after criminals, using a phishing scam, gained access to an Impact MHC employee email account. The AG’s office said those emails contained confidential personal information about Impact’s customers and employees, including Social Security numbers and financial details. The criminals had access to the accounts until July 2019.
According to the state, Impact MHC failed to properly safeguard sensitive information and allowed employees to send and maintain that information in their email accounts.
After discovering the data breach, Impact took 10 months to provide notice to Colorado consumers. Colorado law generally requires notice of a data breach no later than 30 days after the breach occurs, according to the state’s release.
“Now more than ever, companies must remain vigilant in the digital world,” Attorney General Phil Weiser said in a statement. “A data breach like the one at Impact MHC can put important consumer financial and personal information in the hands of the wrong people and cause significant harm to Coloradans and their families, as we have seen recently with regard to the unemployment insurance fraud that has led to over one million fraudulent claims. We will continue to hold companies accountable for safeguarding residents’ data.”
In addition to the $25,000 fine, Impact MHC will face a further $30,000 fine if it fails to implement new precautions to secure its customers’ data. Those measures include creating a written information disposal policy, a comprehensive cybersecurity program and an incident response plan.
According to the Attorney General’s Office, state law requires companies that maintain sensitive personal information to take reasonable steps to protect the information, dispose of it when it is no longer needed and notify Colorado residents promptly when their information is at risk of being misused by unauthorized third parties.