TD Bank has agreed to pay a $625,000 settlement in the aftermath of a March 2012 data breach that occurred when two unencrypted backup tapes went missing during a courier run between its offices in Haverhill and Springfield, Mass.
The breach impacted more than a quarter of a million consumers across the country, 90,000 of them in Massachusetts, whose names, addresses, Social Security numbers, account numbers and other identifying data may have been exposed. But the bank failed to notify customers and the Massachusetts attorney general in the wake of its investigation of the breach.
State Attorney General Martha Coakley said, when announcing the settlement, that the bank didn't heed the state's data breach law which requires “prompt notification” of a breach. TD Bank didn't make notification until seven months after the breach occurred.
According to a press release put out by Coakley's office, TD Bank's settlement includes “$325,000 in civil penalties, $75,000 in attorney's fees and costs, and $225,000 to a fund administered by the AG's Office to promote education or to fund local consumer aid programs.”
The bank has been credited $200,000 for adopting security measures and upgrades after the breach and the AG's Office said TD Bank had been cooperative during the investigation.
In addition to paying the settlement, the bank has agreed to a number of terms, including providing prompt notification in the future and requiring third parties to take appropriate security measures.
“Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost,” Coakley said in the press release.