TD Bank—a well-known name throughout Massachusetts, not the least of which for having the naming rights to the stadium where the Bruins play—has been ordered to pay $625,000 in damages to the state in the wake of a data breach.
While that’s a drop in the bucket to a bank the size of TD, the state Attorney General’s office also mandated that it must take steps to strengthen its security practices.
The incident was significant: In an assurance of discontinuance, filed today in Suffolk Superior Court, the AG’s Office alleges that in March 2012, the bank lost two unencrypted computer server backup tapes that were to be transported by a third-party courier from its Haverhill office to its Springfield office. These contained personal information for more than 90,000 Massachusetts customers, but the AG said that TD Bank delayed a notice of the incident to both the state and impacted residents.
“Massachusetts data breach law requires businesses to provide notice of a data breach promptly,” said Attorney General Martha Coakley, in a statement. “Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost.”
Upon learning that the tapes had not arrived, TD Bank undertook an internal investigation to determine the content of the tapes and determined that the tapes may have included the names, addresses, Social Security numbers, account numbers or other data elements such as date of birth or driver’s license number, of Massachusetts residents. However, the bank still did not notify the AG’s Office and potentially affected consumers about the breach as required under state law until October 2012—seven months later. More than 260,000 consumers nationwide were impacted by the incident.
According to the settlement, the AG’s Office alleges that TD Bank violated state data security regulations, including by failing to comply with its own policies requiring encryption of the personal information on the tapes, and by failing to retain a third-party service provider capable of maintaining appropriate security measures when transporting the tapes. The AG’s Office also alleged that TD Bank violated the state data breach notice law by delaying providing notice of the March 2012 data security incident until October 2012. TD has said that there has been no evidence of fraud or unauthorized access or use of the personal information involved in the incident.
To resolve the allegations, TD Bank has agreed to a settlement amount of $825,000. TD Bank will pay $325,000 in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a fund administered by the AG’s Office to promote education or to fund local consumer aid programs. In addition, TD Bank has been credited $200,000 to reflect security measures and upgrades it has already taken following the incident.
In addition, TD Bank has agreed to give prompt notice of future data breaches and to comply with Massachusetts data security regulations, including the following:
Encrypting personal information stored on back-up tapes;
Requiring third-party service providers to implement and maintain appropriate security measures;
Reviewing the security practices and procedures of third-party service providers that the bank entrusts with personal information;
Performing a review of the bank’s compliance with its own security policies and procedures;
And continuing to monitor for instances of unauthorized access or use of the personal information involved in the incident.