TD Bank to Pay Second Breach PenaltyMassachusetts Cites Bank for Tardy Notification
TD Bank has agreed to a second state settlement tied to a data breach involving the loss of two backup tapes that may have exposed personally identifiable information for 260,000 of the bank's 8 million U.S. customers.
The $625,000 settlement with the Massachusetts attorney general is separate from an earlier, $850,000, nine-state settlement (see: TD Bank Agrees to Breach Settlement). Massachusetts pursued its own investigation because the breach occurred in that state and affected a large number of its residents, a spokesperson for the attorney general tells Information Security Media Group.
The Latest Settlement
In the Massachusetts settlement, Attorney General Martha Coakley said the breach exposed the personal information of more than 90,000 Massachusetts customers.
Coakley alleged that TD Bank violated the state's data breach notice law by delaying providing notice of the March 2012 incident until October 2012. Under Massachusetts law, breached entities are required to provide written notice "as soon as practicable and without unreasonable delay."
"Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost," Coakley says.
TD Bank, in a statement, says it has been continually enhancing its technologies and processes to better protect the personal information of its customers. "This agreement highlights our efforts to evolve our security controls to further benefit our customers," says Judith Schmidt, a TD Bank spokesperson. "TD Bank has settled with the attorneys general in an effort to resolve this issue."
Under the Massachusetts settlement, TD Bank will pay $325,000 in civil penalties, $75,000 in attorney's fees and costs, and $225,000 to a fund administered by the attorney general's office to promote education or to fund local consumer aid programs.
In addition, TD Bank has agreed to give prompt notice of future data breaches and to comply with Massachusetts data security regulations, which mandate that organizations encrypt personal information stored on back-up tapes; require third-party service providers to implement and maintain appropriate security measures; and review the security practices and procedures of third-party providers entrusted with personal information.
Backup Tapes Lost
TD Bank reported in October 2012 that two unencrypted backup tapes, which contained 1.4 million files on 260,000 bank customers nationwide, were lost (see: TD Bank Breach Response Questioned). The bank, in its breach notification letter, said the tapes, which contained personal information, were misplaced in late March of 2012 while in transit to one of the bank's Massachusetts locations.
The information on the tapes may have included names, addresses, Social Security numbers, account numbers and/or other data elements, such as dates of birth or driver's license numbers, the bank says. As a result, TD Bank offered affected customers 12 months of free credit monitoring services, although the bank advised its customers to monitor their accounts for 24 months.