TD Bank will settle to the tune of $625,000 over a March 2012 data breach that authorities say put more than 90,000 Massachusetts residents at risk and delaying notice of the incident to the attorney general’s office.
"Massachusetts data breach law requires businesses to provide notice of a data breach promptly," Attorney General Martha Coakley said in a statement announcing the settlement. "Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost."
According to the attorney general’s office, in March 2012, TD Bank lost two unencrypted computer server backup tapes that were being transported via third-party courier from its Haverhill office to its Springfield office.
When the bank learned the tapes had not arrived, Coakley’s office said, it undertook its own internal investigation and learned the tapes may have contained information such as addresses, Social Security numbers or account numbers for more than 260,000 customers nationwide, 90,000 of those in Massachusetts. However, the bank did not notify the attorney general’s office until October of that year.
According to the settlement, Coakley’s office alleges that TD Bank violated state data security regulations, including by failing to comply with its own policies requiring encryption of the personal information on the tapes and by failing to retain a third-party service provider capable of maintaining appropriate security measures when transporting the tapes. The attorney general’s office also alleged that the bank violated the state data breach notice law by delaying notice of the incident for as long as it did. TD Bank represented that there has been no evidence of fraud or unauthorized access or use of the personal information involved in the incident.
TD Bank’s $825,000 settlement will include $325,000 in civil penalties, $75,000 in attorney’s fees and costs and $225,000 to a consumer aid fund set up by the attorney general’s office. TD Bank was credited $200,000 to reflect security measures and upgrades it has already taken following the incident. Coakley’s office said the bank cooperated with throughout the investigation. Additionally, TD Bank agreed to give prompt notice of future data breaches and to comply with Massachusetts data security regulations.
