Greg Turner reports:
Belmont Savings Bank agreed to pay $7,500 in a settlement of a consumer data breach case with the state attorney general’s office.
In May, the bank lost an unencrypted computer tape containing the personal information of more than 13,000 customers.
A bank employee left the backup tape on a desk instead of storing it in a vault for the night, and it was inadvertently tossed into the trash by a cleaning crew, according to Attorney General Martha Coakley’s office. The tape “was most likely incinerated” by the bank’s waste-disposal company.
Read more on BostonHerald.com
As much as I am for enforcement, I must confess that I do not approve of this fine. What is the point in fining an entity for a human error mistake – one of those momentary brain fade mistakes that we all make many times in our lives and work? Wouldn’t it just make more sense to say, “Thanks for reporting and notifying your customers, and what’s your plan so you avoid this type of screwup up again?”
If Massachusetts or states start fining for breaches like this one, we may wind up with more entities trying to hide breaches. And that would not be a good outcome.
Let’s save the fines for more egregious breaches or where entities have repeat breaches because they do not seem to have learned from their mistakes.
Why do they have unencrypted tapes? Mistakes are always the end of a chain.
Here’s Attorney General Coakley’s statement on the matter. It seems like they were fined for not following their protocol on handling the tape, but it doesn’t say whether the fine was because they failed to encrypt it to begin with or that was a violation of their protocol. When things slow down here, I’ll try to follow up to find out more about why, with all of the mistakes made every day, this one resulted in a fine.