TD Bank to Pay Massachusetts $625,000, Strengthen Security Procedures After Breach

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Martha Kessler

Dec. 8 — TD Bank NA agreed to pay Massachusetts $625,000 and take steps to strengthen its security practices after a set of backup tapes containing the personal information of more than 260,000 individuals nationwide went missing and the bank allegedly delayed notifying the state and those affected by the incident, the Massachusetts Attorney General's Office announced Dec. 8.

Although it agreed to the assurance of discontinuance filed Dec. 8 in the Massachusetts Superior Court, TD Bank denied that it violated any Massachusetts laws or regulations in connection with the incident or that it engaged in any wrongdoing.

“Massachusetts data breach law requires businesses to provide notice of a data breach promptly,” Massachusetts Attorney General Martha Coakley (D) said in a Dec. 8 statement. “Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost.”

The Massachusetts agreement comes in addition to an agreement TD Bank reached with nine state attorneys general in October related to the 2012 data breach. Under the terms of that accord, TD Bank agreed in a no-fault assurance of voluntary compliance to pay $850,000 and enhance data security standards and employee training.

$200,000 Credit

The attorney general alleged that in March 2012 the bank lost two unencrypted computer server backup tapes that were to be transported by a third-party courier between two of its Massachusetts offices.

Although the bank determined that the tapes may have included personally identifiable information for more than 90,000 Massachusetts residents, the attorney general alleged that the bank didn't notify her office and the potentially affected consumers as required by state law until October 2012.

The attorney general also alleged that TD Bank violated state data security regulations, including by failing to comply with its own policies requiring encryption of the personal information on the tapes, and by failing to retain a third-party service provider capable of maintaining appropriate security measures when transporting the tapes.

According to the agreement, TD Bank has agreed to a settlement amount of $825,000, although Massachusetts Attorney General's Office said in a statement that the bank has been credited $200,000 to reflect the security measures and upgrades it has already taken following the incident. The office also said the bank cooperated with the office throughout the investigation.

TD Bank will pay $325,000 in civil penalties, $75,000 in attorneys' fees and costs and $225,000 to an education fund administered by the Attorney General's Office.

No Incidents Detected

Since it first reported the issue in fall 2012, “TD Bank has been continually enhancing our technologies and processes to better protect the personal information of our customers,” TD Bank spokeswoman Judith Schmidt told Bloomberg BNA Dec. 8.

“Prior to the settlements with the Attorneys General, TD Bank made additional upgrades to its processes to continually enhance the security of our customer's information,” she said. “This agreement highlights our efforts to evolve our security controls to further benefit our customers.”

Schmidt said TD Bank settled with the attorneys general in an effort to resolve this issue and that, to date, the bank hasn't detected any unusual incidents of fraud related to customers who were impacted by this incident. Nor has any customer reported any incidents to the bank, which continues to monitor customer accounts for fraud, she said.

To contact the reporter on this story: Martha Kessler in Boston at

To contact the editor responsible for this story: Katie W. Johnson at

The assurance of discontinuance is at

Request Bloomberg Law: Privacy & Data Security