TD Bank this week reached a $625,000 settlement with the Massachusetts Attorney General’s Office after losing unencrypted back-up tapes containing personal information of more than 260,000 consumers nationwide, and delaying notice of the incident. The final settlement amounted to $825,000, but the AG’s Office credited the bank $200,000 to reflect security measures and upgrades it has already taken following the incident.

TD Bank further cooperated with the AG’s Office throughout the investigation. As a result, the final settlement amount equates to $325,000 in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a fund administered by the AG’s Office to promote education, or to fund local consumer aid programs.

“Massachusetts data breach law requires businesses to provide notice of a data breach promptly,” Massachusetts Attorney General Martha Coakley said in a statement. “Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost.”  

According to the allegations, TD Bank lost two unencrypted computer server backup tapes in 2012 that were to be transported by a third-party courier. Upon learning that the tapes had not arrived, TD Bank undertook an internal investigation to determine their content.

Even after TD Bank determined that the tapes may have included the names, addresses, Social Security numbers, account numbers, or other personal data, the bank failed to notify the AG’s office about the breach until several months later.

The AG’s Office further alleged that TD Bank violated state data security regulations, including by failing to comply with its own policies requiring encryption of the personal information on the tapes, and by failing to retain a third-party service provider capable of maintaining appropriate security measures when transporting the tapes.

The AG’s Office also alleged that TD Bank violated the state data breach notice law by delaying providing notice of the March 2012 data security incident until October 2012. TD Bank represented that there has been no evidence of fraud or unauthorized access or use of the personal information involved in the incident. 

Remedial Measures

In addition to security measures and upgrades TD Bank already has taken following the incident, the bank has agreed to give prompt notice of future data breaches and to comply with Massachusetts data security regulations, including the following:

Encrypting personal information stored on back-up tapes;

Requiring third-party service providers to implement and maintain appropriate security measures;

Reviewing the security practices and procedures of third-party service providers that the bank entrusts with personal information;

Performing a review of the bank’s compliance with its own security policies and procedures; and

Continuing to monitor for instances of unauthorized access or use of the personal information involved in the incident.

In 2009, Coakley led a $9.75 million multi-state settlement between TJX Companies and 41 states, resolving its infamous data privacy breach in 2007 that exposed the private data of some 46 million people.