TD Bank Agrees to Breach Settlement

Nine States Impose Fine After Incident Affecting 260,000
TD Bank Agrees to Breach Settlement
TD Bank has agreed to a multi-state settlement in the wake of a 2012 data breach involving the loss of two backup tapes that may have exposed personally identifiable information about 260,000 of the bank's 8 million U.S. customers.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

The settlement, announced Oct. 15 by New York Attorney General Eric T. Schneiderman, requires TD Bank to pay an $850,000 fine and reform its practices to help prevent breaches. An official close to the investigation tells Information Security Media Group that the fine is tied to the bank's security habits and untimely notification of the breach.

"Consumers expect financial institutions to protect their personal information, and this settlement will help reform the policies and procedures that allowed this breach to happen," Schneiderman says. "There has to be one set of rules for everyone, and that includes the big banks and financial institutions entrusted with protecting the sensitive personal information of customers."

Nine attorneys general worked for a year and a half to investigate the breach and the bank's policies and procedures, Schneiderman says, including those in Connecticut, Florida, Maine, Maryland, New Jersey, North Carolina, Pennsylvania, Vermont and New York.

TD Bank says it's been continually enhancing its technologies and processes to better protect the personal information of its customers since the incident in 2012. "This agreement highlights our efforts to evolve our security controls to further benefit our customers," says Rebecca Acevedo, a TD Bank spokesperson. "TD Bank has settled with the attorneys general in an effort to resolve this issue."

The bank says it has no evidence of fraud connected to the breach.

Shirley Inscoe, an analyst at the consultancy Aite Group, expects similar multi-state settlements in the wake of other data breaches. "State attorneys general are starting to band together far more often to investigate data breaches and other types of consumer protection issues," she says. "Certainly, they wield more power collectively than any one of them does individually."

Breach Background

TD Bank reported in October 2012 that two unencrypted backup tapes, which contained 1.4 million files on 260,000 bank customers nationwide, were lost (see: TD Bank Breach Response Questioned). The bank, in its breach notification letter, said the tapes, which contained personal information, were misplaced in late March of 2012 while in transit to one of the bank's Massachusetts locations.

The information on the tapes may have included names, addresses, Social Security numbers, account numbers and/or other data elements, such as dates of birth or driver's license numbers, the bank says. As a result, TD Bank offered affected customers 12 months of free credit monitoring services, although the bank advised its customers to monitor their accounts for 24 months.

When the breach was initially reported, the attorneys general in New York, Massachusetts and New Hampshire posted notices on their websites acknowledging they received the notice from TD Bank about the breach.

Settlement Details

As part of its agreement with the attorneys general, TD Bank is required to notify state residents of any security breaches in a timely manner. In addition, the bank has agreed to maintain reasonable security policies to protect personal information, including ensuring that no backup tapes will be transported unless they are encrypted and all security protocols are followed.

TD Bank will also review on a bi-annual basis its internal policies regarding the collection, storage and transfer of consumers' personal information and will make changes to better protect such information. The bank will also institute further training for its employees.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.