TD Bank Agrees to Breach SettlementNine States Impose Fine After Incident Affecting 260,000
The settlement, announced Oct. 15 by New York Attorney General Eric T. Schneiderman, requires TD Bank to pay an $850,000 fine and reform its practices to help prevent breaches. An official close to the investigation tells Information Security Media Group that the fine is tied to the bank's security habits and untimely notification of the breach.
"Consumers expect financial institutions to protect their personal information, and this settlement will help reform the policies and procedures that allowed this breach to happen," Schneiderman says. "There has to be one set of rules for everyone, and that includes the big banks and financial institutions entrusted with protecting the sensitive personal information of customers."
Nine attorneys general worked for a year and a half to investigate the breach and the bank's policies and procedures, Schneiderman says, including those in Connecticut, Florida, Maine, Maryland, New Jersey, North Carolina, Pennsylvania, Vermont and New York.
TD Bank says it's been continually enhancing its technologies and processes to better protect the personal information of its customers since the incident in 2012. "This agreement highlights our efforts to evolve our security controls to further benefit our customers," says Rebecca Acevedo, a TD Bank spokesperson. "TD Bank has settled with the attorneys general in an effort to resolve this issue."
The bank says it has no evidence of fraud connected to the breach.
Shirley Inscoe, an analyst at the consultancy Aite Group, expects similar multi-state settlements in the wake of other data breaches. "State attorneys general are starting to band together far more often to investigate data breaches and other types of consumer protection issues," she says. "Certainly, they wield more power collectively than any one of them does individually."
TD Bank reported in October 2012 that two unencrypted backup tapes, which contained 1.4 million files on 260,000 bank customers nationwide, were lost (see: TD Bank Breach Response Questioned). The bank, in its breach notification letter, said the tapes, which contained personal information, were misplaced in late March of 2012 while in transit to one of the bank's Massachusetts locations.
The information on the tapes may have included names, addresses, Social Security numbers, account numbers and/or other data elements, such as dates of birth or driver's license numbers, the bank says. As a result, TD Bank offered affected customers 12 months of free credit monitoring services, although the bank advised its customers to monitor their accounts for 24 months.
When the breach was initially reported, the attorneys general in New York, Massachusetts and New Hampshire posted notices on their websites acknowledging they received the notice from TD Bank about the breach.
As part of its agreement with the attorneys general, TD Bank is required to notify state residents of any security breaches in a timely manner. In addition, the bank has agreed to maintain reasonable security policies to protect personal information, including ensuring that no backup tapes will be transported unless they are encrypted and all security protocols are followed.
TD Bank will also review on a bi-annual basis its internal policies regarding the collection, storage and transfer of consumers' personal information and will make changes to better protect such information. The bank will also institute further training for its employees.