DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

TD Bank to Pay $625,000 to Address Data Breach Involving Thousands of Massachusetts Residents

Posted on December 9, 2014 by Dissent

A multi-state settlement over the lost backup tapes was reported in October, but the Massachusetts Attorney General’s Office just issued this press release over what appears to be a separate and second settlement stemming from the same incident: 

TD Bank will pay $625,000 and must take steps to strengthen its security practices after losing unencrypted back-up tapes containing personal information for more than 90,000 Massachusetts customers, and delaying a notice of the incident to the Attorney General’s Office and impacted residents, Attorney General Martha Coakley announced today.

“Massachusetts data breach law requires businesses to provide notice of a data breach promptly,” AG Coakley said. “Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost.”

In an assurance of discontinuance, filed today in Suffolk Superior Court, the AG’s Office alleges that in March 2012, the bank lost two unencrypted computer server backup tapes that were to be transported by a third-party courier from its Haverhill office to its Springfield office.

Upon learning that the tapes had not arrived, TD Bank undertook an internal investigation to determine the content of the tapes and determined that the tapes may have included the names, addresses, Social Security numbers, account numbers, or other data elements such as date of birth or driver’s license number, of Massachusetts residents. However, the bank did not notify the AG’s Office and potentially affected consumers about the breach as required under state law until October 2012. More than 260,000 consumers nationwide were impacted by the incident, including over 90,000 Massachusetts residents.

According to the settlement, the AG’s Office alleges that TD Bank violated state data security regulations, including by failing to comply with its own policies requiring encryption of the personal information on the tapes, and by failing to retain a third-party service provider capable of maintaining appropriate security measures when transporting the tapes. The AG’s Office also alleged that TD Bank violated the state data breach notice law by delaying providing notice of the March 2012 data security incident until October 2012. TD Bank represented that there has been no evidence of fraud or unauthorized access or use of the personal information involved in the incident.

To resolve the allegations, TD Bank has agreed to a settlement amount of $825,000. TD Bank will pay $325,000 in civil penalties, $75,000 in attorney’s fees and costs, and $225,000 to a fund administered by the AG’s Office to promote education or to fund local consumer aid programs. In addition, TD Bank has been credited $200,000 to reflect security measures and upgrades it has already taken following the incident. TD Bank cooperated with the AG’s Office throughout the investigation.

In addition, TD Bank has agreed to give prompt notice of future data breaches and to comply with Massachusetts data security regulations, including the following:

  • Encrypting personal information stored on back-up tapes;
  • Requiring third-party service providers to implement and maintain appropriate security measures;
  • Reviewing the security practices and procedures of third-party service providers that the bank entrusts with personal information;
  • Performing a review of the bank’s compliance with its own security policies and procedures;
  • Continuing to monitor for instances of unauthorized access or use of the personal information involved in the incident.

AG Coakley has led multiple investigations into potential violations of the state’s data protection laws. In January 2014, following Target Corporation’s announcement that the email information for approximately 70 million people could be affected by a data breach, AG Coakley joined the executive committee of a multi-state group to investigate the data breach.

In July 2009, AG Coakley led a $9.75 million multi-state settlement between TJX Companies and 41 states, resolving allegations stemming from a January 2007 data breach. Massachusetts received more than $950,000 to ensure personal data protection of Massachusetts residents.

For additional information, consumers may contact the Attorney General’s consumer hotline at (617) 727-8400, or view the Federal Trade Commission’s identity theft resource, available at www.consumer.gov/idtheft/.

This matter was handled by Assistant Attorney General Sara Cable of AG Coakley’s Consumer Protection Division.

SOURCE: Massachusetts Attorney General Coakley

Category: Financial SectorU.S.

Post navigation

← Widespread Employee Access to Sensitive Files Puts Critical Data at Risk – Survey
Unencrypted Data Lets Thieves ‘Charge Anywhere’ →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.