On December 8, Massachusetts Attorney General Martha Coakley announced a settlement with TD Bank, under which TD Bank must pay $625,000 and take several steps to strengthen its data security practices. The settlement agreement stems from a data breach that impacted over 90,000 Massachusetts residents and over 260,000 customers nationwide. The AG’s approach to this case and the resulting settlement underscore the importance of providing prompt notification following a data breach as well as maintaining adequate oversight over the security practices of third-party service providers.
The AG’s office alleged that TD Bank failed to provide timely notification after TD Bank determined that it could not account for two unencrypted backup tapes that a third-party courier was to transport between two of its offices. The backup tapes had been placed in a locked canvas bag on a secure loading dock in March 2012 for pickup by the courier. On May 16, 2012, TD Bank determined that it could not account for the tapes’ location or custody, and thereby notified its federal regulator of the incident. An internal investigation by TD Bank revealed that the tapes may have contained several types of sensitive information, including names, addresses, Social Security numbers, and account numbers. TD Bank then retained a third-party forensics firm and undertook a four-month investigation costing over $1 million to determine whether the backup tapes contained personal information. TD Bank waited until October 2012 to notify the AG’s office and affected customers. The Massachusetts AG’s office alleged that “at least as of May 16, 2012, [TD Bank] knew or should have known, including through interviews with its employees concerning the general categories of information stored on the Backup Tapes, that the Backup Tapes contained unencrypted Personal Information of one or more Massachusetts residents.”
The AG’s office alleged that TD Bank violated Massachusetts law by failing to: (1) comply with its own written information security program (WISP) and Massachusetts data security regulations, which require encryption of personal information stored on backup tapes; (2) conduct an appropriate risk assessment with respect to the backup tapes; and (3) take reasonable steps to select and retain a third-party service provider capable of maintaining appropriate security measures when transporting the tapes.
By the terms of the settlement, TD Bank agreed to provide prompt notification of any further data breaches and to comply with Massachusetts data security regulations. In addition, TD Bank is required to conduct additional diligence and oversight of its service providers, including requirements to “make reasonable inquiry into the security practices and policies” of its service providers. The settlement agreement also includes a requirement that TD Bank “inform its board of directors of the resolution of this matter”—which appears to reflect the Massachusetts AG’s view that some cybersecurity matters may require board-level attention.
The settlement emphasizes the following key takeaways:
- Carefully evaluate when data breach notification is required. Massachusetts law requires notification as soon as practicable and without delay when an entity that maintains or stores personal information knows or has reason to know that (1) a security breach has occurred or (2) there was an unauthorized acquisition or use of a resident’s personal information. Notice may be delayed for a narrow set of exceptions in which criminal investigations are ongoing.
- Exercise oversight over third-party service providers. It is not enough to keep one’s own house in order. Companies need to take reasonable steps to ensure that their service providers implement and maintain adequate security measures as well. Companies should review the security practices and procedures of any third parties that store or transmit personal information on their behalf, then put in place contractual terms that provide reasonable and appropriate security safeguards.
- Implement and maintain an adequate data security compliance program. Any entity that owns, licenses, stores, or maintains the personal information of Massachusetts residents must have a comprehensive WISP that lays out security safeguards appropriate to the size and scope of the business as well as the nature of the information stored. Massachusetts also requires encryption, to the extent technically feasible, of personal information stored on laptops or other portable devices (including backup tapes). In addition, a security risk assessment is required by Massachusetts law (as well as several other data security laws, regulations, and standards) covering systems and applications containing personal information.
The Massachusetts settlement calls for a total payment of $825,000, but provides TD Bank with a $200,000 credit for TD Bank’s purchase and implementation of additional security measures following the incident. This settlement follows a multi-state settlement agreement reached in October and stemming from the same incident. That agreement requires TD Bank to pay $850,000 and make a number of data security commitments similar to those described above. The AGs of Connecticut, Florida, Maine, Maryland, North Carolina, New Jersey, New York, Pennsylvania, and Vermont joined the previous settlement.