Nine states joined in an agreement with TD Bank to settle allegations about the bank's March 2012 data breach that affected 260,000 persons, including more than 90,000 in Massaschusetts. In a statement, the Office of Martha Coakley, Attorney General for the Commonwealth of Massachusetts, announced that the bank:
"... violated state data security regulations, including by failing to comply with its own policies requiring encryption of the personal information on the tapes, and by failing to retain a third-party service provider capable of maintaining appropriate security measures when transporting the tapes. The AG’s Office also alleged that TD Bank violated the state data breach notice law by delaying providing notice of the March 2012 data security incident until October 2012."
The breach occurred when the bank's back-up tapes containing unencrypted information (e.g., names, Social Security numbers, bank account numbers, drivers' license numbers, etc.) were lost during shipment to a vendor. Terms of the settlement agreement with Massachusetts:
"... TD Bank has agreed to a settlement amount of $825,000. TD Bank will pay $325,000 in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a fund administered by the AG’s Office to promote education or to fund local consumer aid programs. In addition, TD Bank has been credited $200,000 to reflect security measures and upgrades it has already taken following the incident."
The bank also agreed to provide prompt notice of any future data breaches and to comply with Massachusetts data security laws:
- Encrypt customers' personal information stored on back-up tapes,
- Require third-party vendors to implement and maintain appropriate security procedures,
- Review the data security practices and procedures of third-party vendors,
- Complete a review of the bank’s compliance with its own security policies and procedures, and
- Monitor for instances of unauthorized access or use of the personal information resulting from the breach.
Unencrypted computer backup tapes surely make it convenient for identity thieves and criminals. A visit Tuesday to the bank's home page showed an http browser connection instead of a more secure https connection. You'd think that the bank would have upgraded tits home page connection to show both current and prospective customers that it is serious about security. Do the bank's executives get it? Perhaps, the settlement penalty amount was not large enough.
What are your opinions of the settlement agreement?