Colorado Attorney General Phil Weiser speaks during a media briefing on Aug. 17, 2020. (Moe Clark/Colorado Newsline)
For nearly a year, hackers who got inside a national company’s email accounts had access to hundreds of Coloradans’ confidential personal information, according to a statement from state Attorney General Phil Weiser. The company, which manages mobile home parks, allegedly took 10 months to notify the employees and customers whose information was exposed.
Weiser announced Monday that Impact Mobile Home Communities must pay his office $25,000 and implement new safety measures, under the terms of a settlement. Nationwide, more than 15,000 people — including 719 in Colorado — had their sensitive information exposed in the October 2018 Impact MHC hack, and the hackers had access to the information until July 2019. It was another 10 months before Impact MHC notified the affected employees and customers, according to the settlement.
“Now more than ever companies must remain vigilant in the digital world,” Weiser said in the statement. “A data breach like the one at Impact MHC can put important consumer financial and personal information in the hands of the wrong people and cause significant harm to Coloradans and their families, as we have seen recently with regard to the unemployment insurance fraud that has led to over one million fraudulent claims. We will continue to hold companies accountable for safeguarding residents’ data.”
The money Impact MHC must pay to the attorney general’s office will be used for the state’s costs and attorney’s fees, payment if needed of restitution, and “future consumer fraud or antitrust enforcement, consumer education, or public welfare purposes,” according to the settlement terms.
Colorado’s data security laws require individuals and organizations that hold personal identifying information to create a policy governing the destruction of data. This type of data includes Social Security numbers, passwords, driver’s license numbers and more.
Under existing state law, people and entities also must take reasonable steps to protect others’ personal information, and must notify customers or employees about security breaches. Colorado law generally requires companies to provide notice of a data breach no later than 30 days after it happens, according to the statement from Weiser’s office.
The Colorado General Assembly recently passed new legislation, Senate Bill 21-190, that would further regulate how companies protect personal data. The bipartisan team spearheading the legislation included Sens. Robert Rodriguez, a Denver Democrat, and Paul Lundeen, a Monument Republican, along with Reps. Monica Duran, a Wheat Ridge Democrat, and Terri Carver, a Republican from Colorado Springs.
If Gov. Jared Polis signs SB-190 into law, starting in 2023 consumers would be able to opt out of having their personal data processed by a company, and would have the right to access, correct or delete the data. Just two other states, California and Virginia, have passed similar laws.
The Colorado attorney general would have the authority to write rules for companies to follow in order to comply with SB-190. The state attorney general or district attorneys could penalize companies that violated SB-190’s requirements, using existing laws around deceptive trade practices.
Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our web site. Please see our republishing guidelines for use of photos and graphics.