TD Bank Breach Response QuestionedExperts Say Apparent 6-Month Delay Difficult to Justify
TD Bank's Oct.12 reporting of the March loss of two backup tapes that may have exposed personally identifiable information about 260,000 of the bank's 8 million U.S. customers is raising serious questions about the institution's notification strategy.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pmRon Raether, a legal expert in breach response, says TD Bank's delayed notification appears to violate commonly accepted breach-notification practices. And Raether predicts the bank will face consumer class action lawsuits as well as state fines.
TD Bank, in the breach-notification letter it sent to states where affected customers reside, says two backup tapes containing personal information were misplaced in late March while in transit to one the bank's locations. The bank did not specify to where the tapes were being shipped or whether they were encrypted.
TD Bank spokeswoman Rebecca Acevedo told BankInfoSecurity the bank has no evidence that the data on those lost tapes has been used for any inappropriate purpose. "We continue to vigilantly monitor our customer accounts," she adds.
The bank claims the incident is isolated and is being investigated internally, although law enforcement has been notified.
Acevedo declined to comment about when the breach was discovered.
Information on the Tapes
The information on the tapes may have included names, addresses, Social Security numbers, account numbers and/or other data elements, such as dates of birth or driver's license numbers, the bank stated in its notification to state attorneys general. As a result, TD Bank is offering affected customers 12 months of free credit monitoring services, although the bank advises that those customers monitor their accounts for 24 months.
Attorneys general in Massachusetts and New Hampshire have posted notices on their websites acknowledging they received the notice from TD Bank about the breach. But news media reports have said customers in California, Florida, Maine, Connecticut, Maryland and Rhode Island also were affected.
Acevedo would not confirm the states where the banks customers were affected. But she did confirm that all affected consumers were being notified the week of Oct. 15.
Attorneys General Statements
According to the Oct. 12 statement posted by the Massachusetts attorney general, about 73,000 state residents were affected by the breach.
"The loss of these tapes potentially puts the personal information of thousands of Massachusetts consumers at risk, and we remind consumers to take appropriate steps to protect themselves," said Attorney General Martha Coakley. "We will be reviewing the circumstances of this breach and the steps that TD Bank is taking to address the loss."
The New Hampshire attorney general posted a similar notice Oct.15, saying nearly 44,000 New Hampshire residents could be affected. "The bank notified the attorney general that personal information of New Hampshire residents was included on two data backup tapes that the bank shipped to one of their locations in March 2012," the post states. "The tapes were reported as missing and the bank remains unable to locate them."
Timing of Notification Questioned
Although it's not clear when TD Bank actually discovered the breach, Raether speculates that the loss of the tapes was likely discovered shortly after they were misplaced in March. If that's the case, the bank took too long to notify authorities as well as individuals affected, he adds.
"The best practice is to contact AGs [attorneys general] in the affected states right away," Raether says. "If they learned of the breach in March, then they've obviously not met the timing requirements," at least not for most states' breach-notification laws."
If attorneys general determine that TD Bank did not meet requirements for reporting the breach to the states, the bank could face hefty penalties, Raether says. He points out that in 2011, health insurer WellPoint Inc. settled with the state of Indiana and agreed to pay $100,000 after delaying notification of 32,000 victims of a breach that exposed Social Security numbers, financial information and health records.
The bank could justify the late notification, Rather says, if law enforcement told bank officials that notifying the public too soon could jeopardize an investigation, he adds. But Raether believes that's unlikely.
"The bank laid out grounds for class action by offering 12 months of identity theft coverage, but then said consumers should monitor their accounts for 12 to 24 months," Raether says. "If they need to monitor accounts for 24 months, then they should be given 24 months of free protection."
While timing requirements vary among the 48 states that have breach-notification laws, Raether says the reasonable amount of time between a breach and notification is typically 45 days.
Mark Bower, a data protection expert at Voltage, which specializes in data storage security, says if TD Bank's lost files were encrypted, the bank may not have felt compelled to immediately notify the public.
In Massachusetts, for instance, the state's definition of what constitutes a breach differentiates data based on how it is protected.
"A breach of security is defined as 'the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth,'" Bower says. "So, encrypted data - without the key or access to the key(s) - is no longer considered personal information, as defined by the regulation."
But Sam Imandoust, a legal analyst for the Identity Theft Resource Center, says TD Bank likely would not have reported the breach if the tapes were encrypted.
"There may be some question over whether this is really a breach - losing something as opposed to having it stolen or taken because it was hacked in to," Imandoust adds. "But I don't know if that's really something you can hide behind. You have to think about whether or not harm can occur. And when you think about the fact that 260,000 people could be impacted, this is important stuff."
Like Raether, Imandoust says the six-month lapse seems extreme under any circumstance.
Setting an Example
The breach illustrates how banks and credit unions have to balance what's required by the law with what is reasonable, Imandoust says.
"The fact of the matter is, you have customers, and they want to know when a breach occurs," he says. "We don't yet know the extent of the fallout that will occur as a result of this breach and the notification. But I'm sure this instance will be used as a guideline for how other institutions respond when critical information is misplaced."