TD Bank recently agreed to pay $850,000 as part of a multi-state settlement agreement with state attorneys from Connecticut, Florida, Maine, Maryland, North Carolina, New Jersey, New York, Pennsylvania, and Vermont. While the assurances in the settlement agreement only bind TD Bank, other companies with electronic records containing consumers’ personal information can benefit from this agreement by interpreting its requirements as minimum standards for their internal security policies and procedures.
This agreement relates to a data breach in 2012 when 1.4 million files were compromised. The breach resulted from the loss of two data backup tapes during shipment. The tapes contained data that had been accumulated over a period of eight to ten years. More importantly, the tapes contained personal information, such as names, addresses, social security numbers, account numbers, dates of birth, and drivers’ license numbers of bank customers. Not only were the tapes lost, but they were also not encrypted. In total, the breach potentially affected more than 267,000 consumers nationwide.
Although the breach occurred in March 2012, it was not reported to state attorneys or consumers until October 2012. While it is not clear when the bank became aware of the breach, it is unlikely that the breach went unnoticed for seven months. The bank’s failure to timely notify states and consumers triggered investigations by state attorneys. In an October 17, 2014 press release, Vermont Attorney General Sorrell stated, “the most important things a business can do once it’s suffered a breach are to remedy the problem and get notice out as quickly as possible.” This concern was reiterated by North Carolina Attorney General Cooper – “the sooner consumers learn that their information has been breached, the sooner they can act to stop and even prevent damage. That’s why it’s critical that breaches get reported as soon as possible.”
TD Bank’s failure to timely notify states and consumers about the breach resulted in heightened scrutiny from states. If a data breach or security incident involving personal information occurs, companies should timely notify consumers and state attorneys of the breach. In addition, companies should review breach notification statutes in all states with impacted residents as states may have statutes with specific timing requirements for notifications to be considered timely.
With the increased prevalence of data breaches and security incidents, this is an area of growing concern. Because nine states were parties to this agreement, it provides valuable insights into trending privacy concerns at the state level. As Connecticut Attorney General Jepsen stated, “the importance of this agreement goes significantly beyond financial remedies by seeking to ensure that future similar breaches are prevented.” While the bank’s monetary payment to the state may be used for things like improving consumer protections or privacy enforcement, the bank’s assurances provide constructive feedback on areas of state concern.
Not surprisingly, the bank promised to comply with a list of statutes regarding consumer protection, personal information safeguards, and breach notification. Although this list of statutes is limited to states that were parties to the agreement, companies with a presence in these states should consult with the listed statutes to ensure that existing and future information security policies and procedures are in compliance.
Because this breach resulted from the physical loss of data while in transport, the agreement included specific assurances with regard to transportation. Most importantly, companies should address storage, access, transfer, and transportation of personal information in their security policies and procedures. Moreover, these policies and procedures should include reasonable steps to select and retain transportation service providers. Before transporting portable computerized storage devices, such as backup tapes, off of company property, data containing personal information should be encrypted and comply with internal policies regarding transportation. If it is not feasible to encrypt historical data, transportation by an armored vehicle may be a reasonable alternative. Furthermore, companies should regularly assess and update, if needed, the effectiveness of their internal controls and procedures regarding portable computerized storage devices. Also, companies should annually train employees responsible for creating or handling portable computerized storage devices about the importance of consumer privacy, on duties regarding privacy, and on internal procedures for reporting unauthorized disclosure of personal information.
Finally, a company should designate an employee responsible for coordinating and supervising internal programs designed to protect the privacy and security of personal information. In order to better protect personal information, companies should develop and maintain reasonable security policies and procedures. In addition to addressing transportation and storage concerns, these policies and procedures should also include the procedure for responding to unauthorized acquisition, access, use, or disclosure of personal information. Moreover, policies and procedures should be reviewed on at least a bi-annual basis and promptly amended, if necessary.
Companies should capitalize on TD Bank’s settlement agreement by using it as guidance for internal policies and procedures on the protection of consumers’ personal information.
Sandra M. Eismann-Harper