On October 10, 2014, TD Bank, N.A. entered into an assurance of voluntary compliance (“Assurance”) with a multistate group of nine attorneys general to settle allegations that the company violated state consumer protection and personal information safeguards laws in connection with a 2012 data breach. The breach involved the loss of two unencrypted backup tapes containing the personal information of approximately 260,000 customers. The Assurance requires TD Bank to pay $850,000 to the attorneys general.
In addition to the payment, the Assurance calls for TD Bank to:
- Notify affected residents of the nine states of any future breach of security or other unauthorized acquisition of personal information in a timely manner;
- Maintain reasonable security policies and procedures to protect personal information, including a prohibition on transporting unencrypted backup tapes;
- Assess the company’s internal policies regarding the collection, storage and transfer of consumers’ personal information at least every two years, making changes as needed to more adequately protect the confidentiality and privacy of personal information; and
- Provide training for its employees on securing backup tapes.