Last week, Impact MHC, a Colorado-based mobile home park management company, agreed to pay $25,000 to the Colorado Attorney General’s office and implement new security measures after a data breach of more than 15,000 individuals’ personal information, including 719 Colorado residents. If Impact fails to implement such security measures (such as creating a written information disposal policy, a comprehensive cybersecurity program, and an incident response plan) within the allotted timeframe, it must pay an additional $30,000.

In October 2018, Impact discovered that hackers had used a phishing campaign to access its employees’ email accounts, which contained personal information of customers and employees, including Social Security numbers and financial information. The hackers had access to the account until July 2019. After discovery of this incident, Impact did not notify the affected Colorado residents for over 10 months. Colorado state data breach notification law requires notice of a breach within 30 days of discovery.

Attorney General Philip Weiser said, “Now more than ever companies must remain vigilant in the digital world. A data breach like the one at Impact MHC can put important consumer financial and personal information in the hands of the wrong people and cause significant harm to Coloradans and their families, as we have seen recently with regard to the unemployment insurance fraud that has led to over one million fraudulent claims. We will continue to hold companies accountable for safeguarding residents’ data.”

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.