Last week, the attorney generals (AGs) in several states announced a multi-state settlement agreement with TD Bank about the bank's 2012 data breach which exposed the sensitive financial information of consumers. New York State AG Eric T. Schneiderman announced:
"The data breach occurred in 2012, when TD Bank reported the loss of unencrypted backup tapes in Massachusetts. The tapes contained 1.4 million files and 1,800 different file types that had been accumulated over a period of 8 to 10 years. In total, the files contained various personal information for 260,000 TD Bank customers nationwide, including 31,407 in New York State.... The $850,000 settlement requires the bank to reform its practices to help ensure that future incidents do not occur. New York State will receive $114,106.11 under the settlement."
Other terms of the settlement agreement:
"The agreement requires TD Bank notify state residents of any future security breaches or other acquisitions of personal information a timely manner. TD Bank also agreed to maintain reasonable security policies to protect personal information. The agreement ensures that no backup tapes will be transported unless they are encrypted and all security protocols are complied with. TD Bank will review on a bi-annual basis their existing internal policies regarding the collection, storage and transfer of consumers’ personal information and will make changes to better protect such information. TD Bank will also institute further training for its employees."
The State of Florida led the settlement negotiation along with Connecticut, Maine, Maryland, New Jersey, New York, North Carolina, Pennsylvania and Vermont.
43,157 residents in Connecticut were affected by the data breach. Connecticut AG George Jepsen stated in an announcement:
"The importance of this agreement goes significantly beyond financial remedies by seeking to ensure that future similar breaches are prevented. Consumers have a reasonable expectation of privacy and protection when it comes to their personal and financial information. This agreement recognizes those rights and ensures that TD Bank will continue to work to address the policies and procedures in place in 2012 that contributed to this breach in the first place..."
659 residents in Maryland were affected by the data breach. Maryland AG Douglas F. Gansler said about the settlement:
""Banks are as obligated to safeguard their customers' personal information as they are to protect their customers' money... While it appears this breach did not lead to any cases of identity theft, we must be aggressive to combat both traditional fraudsters and sophisticated hackers."
This was not the bank's first data breach. TD bank experienced data breaches before 2012:
- March 2011: "insider identity theft" involving an employee that sold the account information of about about 10 customers causing about $39,000 in fraudulent charges
- March 2010: a fraud ring, using a former employee, stole and sold the account information of customers to accomplices who then stole about $200,000 from bank accounts