TD Bank will pay $625,000 and must take steps to strengthen its security practices after losing unencrypted back-up tapes containing personal information for more than 90,000 Massachusetts customers, and delaying a notice of the incident to the Attorney General’s Office and impacted residents, Attorney General Martha Coakley announced today.
“Massachusetts data breach law requires businesses to provide notice of a data breach promptly,” Coakley said. “Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost.”
In an assurance of discontinuance, filed today in Suffolk Superior Court, the attorney general’s office alleges that in March, 2012, the bank lost two unencrypted computer server backup tapes that were to be transported by a third-party courier from its Haverhill office to its Springfield office.
Upon learning the tapes had not arrived, TD Bank undertook an internal investigation to determine the content of the tapes and determined the tapes may have included the names, addresses, social security numbers, account numbers or other data elements such as date of birth or driver’s license numbers of Massachusetts residents. However, the bank did not notify the attorney general and potentially affected consumers about the breach as required under state law until October, 2012. More than 260,000 consumers nationwide were impacted by the incident, including more than 90,000 Massachusetts residents.
According to the settlement, the AG’s office alleges TD Bank violated state data security regulations, including by failing to comply with its own policies requiring encryption of the personal information on the tapes, and by failing to retain a third-party service provider capable of maintaining appropriate security measures when transporting the tapes. The AG’s office also alleged that TD Bank violated the state data breach notice law by delaying providing notice of the March 2012 data security incident until October, 2012. TD Bank represented that there has been no evidence of fraud or unauthorized access or use of the personal information involved in the incident.
To resolve the allegations, TD Bank has agreed to a settlement amount of $825,000. TD Bank will pay $325,000 in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a fund administered by the AG’s Office to promote education or to fund local consumer aid programs. In addition, TD Bank has been credited $200,000 to reflect security measures and upgrades it has already taken following the incident. TD Bank cooperated with the AG’s Office throughout the investigation.
In addition, TD Bank has agreed to give prompt notice of future data breaches and to comply with Massachusetts data security regulations, including the following:
- Encrypting personal information stored on back-up tapes;
- Requiring third-party service providers to implement and maintain appropriate security measures;
- Reviewing the security practices and procedures of third-party service providers that the bank entrusts with personal information;
- Performing a review of the bank’s compliance with its own security policies and procedures;
- Continuing to monitor for instances of unauthorized access or use of the personal information involved in the incident.
Coakley has led multiple investigations into potential violations of the state’s data protection laws. In January, 2014, following Target Corporation’s announcement that the email information for approximately 70 million people could be affected by a data breach, Coakley joined the executive committee of a multi-state group to investigate the data breach.
In July, 2009, Coakley led a $9.75 million multi-state settlement between TJX Companies and 41 states, resolving allegations stemming from a January 2007 data breach. Massachusetts received more than $950,000 to ensure personal data protection of Massachusetts residents.