TD Bank to Pay $850,000, Improve Security To End State Attorneys General Breach Case

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Joyce

Oct. 17 — TD Bank NA agreed in a no-fault assurance of voluntary compliance to pay $850,000 and enhance data security standards and employee training to resolve an investigation conducted by nine state attorneys general concerning a 2012 data breach at the bank affecting about 260,000 customers, Connecticut Attorney General George Jepsen (D) told Bloomberg BNA Oct. 17.

New York Attorney General Eric T. Schneiderman (D) announced the agreement Oct. 15.

Under terms of the agreement, the bank agreed to pay the penalty to the states plus maintain reasonable security policies to protect customers' personal data and enhance data security training for its employees, Schneiderman said in a statement.

Bank Reported Breach

In October 2012, TD Bank announced the breach, a loss in Massachusetts of unencrypted backup tapes containing 1.4 million files—data accumulated over as many as 10 years, according to the attorney general's statement.

TD Bank contacted Jepsen's office to inform it of the breach, Matthew Fitzsimmons, Connecticut assistant attorney general, told Bloomberg BNA Oct. 17. “We did have some disagreements on the legal implications of what happened, but overall they were very cooperative throughout the investigation and the negotiations,” Fitzsimmons said.

“Since first reporting this issue in fall 2012, TD Bank has been continually enhancing our technologies and processes to better protect the personal information of our customers,” TD Bank spokeswoman Rebecca Acevedo told Bloomberg BNA Oct. 15.

“Prior to the settlements with the Attorneys General, TD Bank made additional upgrades to its processes to continuously enhance the security of our customers' information.”

“This agreement highlights our efforts to evolve our security controls to further benefit our customers,” Acevedo said. “TD Bank has settled with the Attorneys General in an effort to resolve this issue.”

“To date, the bank has not detected any unusual incidents of fraud related to customers who were impacted by this incident, nor has any customer reported any to us, and we continue to monitor customer accounts for fraud,” Acevedo added.

Connecticut, Florida, Maine, Maryland, New Jersey, New York, North Carolina, Pennsylvania and Vermont participated in the investigation.

Retailers at ‘Tipping Point.'

“Data breaches are occurring with increasing frequency across the board. They are not limited to financial companies, Jepsen said.

Jepsen said several industries besides financial firms are under ever increasing, and more sophisticated, cyberattacks.

“At TD it was a matter of tapes lost somewhere between the loading dock and where they were supposed to go, and that can happen. We've had a number of health-care institutions here in Connecticut where laptops were left somewhere, a thumb drive was left somewhere. It can be accidents like that,” he said.

“Retailers are reaching the tipping point where collectively there is a need to look at what technologies can be used” to enhance security, the Jepsen said.

Fitzsimmons, a data security specialist, said emerging solutions will likely be developed by both industry and government. Jepsen agreed.

Attorneys general “can be a real catalyst in terms of driving industries in directions they need to go” to strengthen data security, Jepsen said.

Security Breaches Increase

A PricewaterhouseCoopers LLP survey of 9,700 senior corporate officials located in more than 154 countries reported that the number of detected security breaches increased to 117,339 incoming attacks each day—which would extrapolate to more than 42.8 million annually—a 48 percent jump compared with 2013, while total financial losses attributed to security compromises increased 34 percent compared with 2013.

TD Bank is part of Canada's Toronto-Dominion Bank and affiliates, collectively known as TD Bank Group. The group operates in more than a dozen U.S. states and is regulated by the federal Department of Treasury's Office of the Comptroller of the Currency.

To contact the reporter on this story: Stephen Joyce in New York at

To contact the editor responsible for this story: Heather Rothman at

The assurance of voluntary compliance is available at


Request Bloomberg Law: Privacy & Data Security