In 2012, TD Bank reported the loss of backup tapes. With over 250,000 people affected, it was one of the top data breaches for that year. The lack of data encryption on the tapes – plus the fact that this happened in Massachusetts, which is considered to have one of the most onerous data security and notification laws in the country – meant that the financial institution had to report the breach.
The site databreaches.net is reporting that the bank has announced a multi-state settlement of $850,000. This is on top of whatever monies were used to deal with the immediate aftermath of the data breach (notifying clients, setting up call centers for people demanding to know more, carrying out forensic investigations, etc).
All in all, there’s nothing new here when it comes to the details of the resolution. You’ve got the promises to do better, to educate employees, the upgrade to security, etc. However, some things did catch my eye.
9 AGs Involved, 1.5 Years
Finding closure to the data breach took 1.5 years: the breach was reported in October 2012 (although the data breach itself took place 8 months earlier). In addition, nine state Attorney Generals were involved – which presumably means residents in nine states were affected.
Although there’s no way to tell how often the bank had to accommodate demands for access and information, I can imagine that it couldn’t have been easy. It must have been costly, diverting manpower and man-hours to something that doesn’t contribute to the bottom line at all (Unlike data security solutions like encryption software, which are expenditures without a positive ROI but can be argued that, like insurance, there’s an upside should something go wrong). To have done so for nine different AGs must have been something else.
Backup Tapes will be Encrypted
As part of the settlement, the bank has agreed that “no backup tapes will be transported unless they are encrypted and all security protocols are complied with.”
I’m surprised that this is even a thing…but then again, not so much. Most reasonable people would of course ensure that similar future incidents do not reoccur. In TD’s case, since it’s impossible to guarantee that backup tapes won’t go missing again (it’s outside their control), the best it can do is to encrypt sensitive data on tapes (which is within their control).
On the other hand, I’ve already witnessed instances where organizations repeatedly fall victim to one breach or another that happens to be similar in nature: Unencrypted laptop stolen from car; unencrypted laptop stolen from van; unencrypted laptop stolen from home during burglary; etc. Despite the differences, it’s really just one data breach – and one that can be easily combated by the same action: encrypt your laptops.