TD Bank North America (“TD Bank”) and the Massachusetts Attorney General announced an agreement on December 8 to end a data breach lawsuit brought against TD Bank by the Massachusetts Attorney General. The lawsuit alleged that TD Bank failed to properly protect and encrypt personal customer information contained on two server backup tapes that it lost. The suit also alleged that TD Bank did not promptly notify the Attorney General of the breach as required by Massachusetts law.
The data breach in question occurred after a set of unencrypted server backup tapes containing the personal information of over 260,000 customers disappeared from TD Bank’s custody in March 2012. The tapes were allegedly lost after being placed on a loading dock for pickup and transport by a third-party courier. Among other information, the tapes contained the names, addresses, and social security numbers of over 90,000 Massachusetts residents.
The Commonwealth alleged that TD Bank was, or should have been, aware of the breach on May 16, 2012, but did not notify the Massachusetts Attorney General until October 5, 2012. TD Bank then notified affected customers on October 12, 2012. TD Bank alleged that it promptly notified its federal regulators the day it became aware of the breach, and notified the Massachusetts Attorney General and customers after investigating the breach itself.
“Massachusetts data breach law requires businesses to provide notice of a data breach promptly,” said Attorney General Martha Coakley (D) in a statement issued December 8. “Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost.”
In an assurance of discontinuance filed with the Commonwealth of Massachusetts on December 8, 2014, TD Bank agreed to strengthen its security protections and pay Massachusetts $625,000. This settlement amount consisted of $325,000 in civil penalties, $75,000 in attorney fees and costs, and $225,000 toward an education fund run by the Attorney General’s office. The settlement agreement originally totaled $825,000, but was reduced by $200,000 in light of the security measures taken by TD Bank since the breach. Despite the agreement, TD Bank denies any wrongdoing or violations of Massachusetts data breach law. The Massachusetts agreement comes on the heels of an assurance of voluntary compliance reached by TD Bank and nine other state attorneys general based on the same data breach. This no-fault agreement similarly required TD Bank to strengthen its data security protocols and pay $850,000 in fines.
This is one of the few instances where the conundrum of “knew or should have known” and equivalent language now appearing in various data breach notification laws has been litigated. This settlement should serve as a reminder of the potential difficulty of satisfying this notification requirement in practice and potential aggressive application of this concept by regulators.