Privacy continues to come to the forefront and can impact companies of all sizes and industries. Construction companies are certainly no exception and the various state regulations and enforcement actions that negatively impact profits and reputation are increasing. This summary focuses on one state’s settlement agreement, but it should be a warning to others. Ineffective information security practices can be detrimental from most any state as new state by state regulations are being passed monthly.
One Construction Company’s Privacy Problem
The Colorado Attorney General has entered into a settlement agreement with a construction company, SEMA Construction, Inc. for security breaches and violation of the Colorado Consumer Protection Act (“Act”).
SEMA is based in Centennial, Colorado and operates construction sites throughout the United States. They maintained sensitive personal information of Colorado residents, including social security numbers and financial information. The company allowed some of this information to be stored in employee email accounts. They also failed to dispose of it long after it was needed.
The company was the victim of a phishing attack. This meant that a criminal gained access to login credentials for the email accounts of multiple SEMA employees. This attack exposed the confidential information that was stored in the employees’ email accounts.
SEMA’s inadequate data security practices allowed a cybercriminal to access SEMA’s emails, including those containing personal information of Colorado residents. The criminal had access for eleven months before SEMA detected the intrusion. The breach affected 1,289 Colorado employees and 662 Colorado residents.
Due to SEMA’s unreasonably long investigation and delayed notice, affected Coloradans were unaware that their information had been compromised until 16 months after SEMA discovered the breach.
Specific Violations of the Act
Two sections of the Act were violated:
- Section 6-1-713 requires companies that maintain, own, or license paper or electronic documents containing personal identifying information (“PII”) to develop a written policy for the destruction or proper disposal of those paper and electronic documents when they are no longer needed
- Section 6-1-713.5 which requires companies that maintain, own, or license PII of Colorado residents to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII and the nature and size of the business and its operations.
Settlement Fines and Fees
The settlement with the state required the company to pay the State $80,000 and the State’s attorneys’ fees of $8,242.12.
SEMA will need to comply with the provisions of section 6-1-713.5 of the Act. They must maintain reasonable security procedures and practices, such as:
– Develop, implement, and maintain a comprehensive written information security program (“ISP”) reasonably designed to protect the security, integrity, and confidentiality of PII.
This includes designating an employee to develop and implement the ISP. Including written policies that adhere to an Appropriate Standard for the secure storage and proper disposal of PII. Additionally, appropriate controls to verify user identity upon system or application access with supporting rationale. The Company shall on at least an annual basis, review the safeguards it has put in place to protect PII. This should ensure that it is up to date with any modifications to the Appropriate Standard.
The ISP shall address the specific vulnerabilities leading to the breach. Including at least annual training on secure storage and handling of PII that includes but is not limited to:
– Phishing awareness and detection for all employees and other workers.
It shall also create policies and protocols for employee reporting of suspected phishing emails and prompt institutional response.
How Can We Help
Our team of privacy, IT and risk experts can assist with data tracking and management using discovery tools to find all sensitive data. We then use that data along with a Privacy Health Check to create a risk register and roadmap to improve compliance before an issue occurs. Value Privacy also offers managed services to run your privacy program on established top tier platforms. And alongside that, keeping you current on the latest privacy regulation developments. In the event of an inquiry, we can assist with the response working with management to minimize the impact to the company.