AG, DCP Announce $850,000 Multistate Settlement with
TD Bank Over Data Breach
Attorney General George Jepsen and the state Department of Consumer Protection Commissioner William M. Rubenstein today announced an $850,000 multistate settlement with TD Bank, N.A. that resolves an investigation into a 2012 data breach that affected thousands of consumers and helps to ensure that protections are in place to prevent future incidents.
Connecticut led the nine-state group that worked for a year and a half to investigate the breach, as well as the bank's policies and procedures. Connecticut also led the negotiations leading to the assurance of voluntary compliance with TD Bank. The signed agreement will resolve consumer protection and privacy claims against TD Bank related to the 2012 breach. As the lead state, Connecticut’s overall share of the settlement totals $179,862; $100,000 will go to DCP's consumer privacy protection guaranty and enforcement account and the remaining amount will go to the state's General Fund.
“The importance of this agreement goes significantly beyond financial remedies by seeking to ensure that future similar breaches are prevented. Consumers have a reasonable expectation of privacy and protection when it comes to their personal and financial information. This agreement recognizes those rights and ensures that TD Bank will continue to work to address the policies and procedures in place in 2012 that contributed to this breach in the first place,” Attorney General Jepsen said.
“While we applaud all procedural efforts to keep customers’ personal data secure, we also remind consumers to always remain vigilant in monitoring their financial accounts and credit histories for any suspicious activities, Commissioner Rubenstein said.
In October 2012, the Connecticut Attorney General's Office received notification from TD Bank of a data breach involving the loss of unencrypted backup tapes in Massachusetts. These tapes contained 1.4 million files in 1,800 different file types. The files contained a variety of personal information belonging to some 260,000 TD Bank customers nationwide, including 43,157 customers in Connecticut.
TD Bank notified affected consumers about the breach and offered free credit monitoring services. TD Bank represented that no consumers were held liable for any unauthorized use of their accounts, and that there have been no reports of identity theft related to the breach to date.
The agreement requires TD Bank to notify residents of any future breaches of security or other acquisitions of personal information a timely manner. TD Bank also agreed to maintain reasonable security policies to protect personal information. The agreement ensures that no backup tapes will be transported unless they are encrypted and all security protocols are complied with. TD Bank will review on a bi-annual basis its existing internal policies regarding the collection, storage and transfer of consumer's personal information and make changes to more adequately protect such information as needed. TD Bank will also institute further training for their employees.
Attorney General Jepsen said, “This was a complex investigation, and TD Bank deserves credit for working in good faith with my office and the states affected to develop policies and practices to better protect consumer information going forward.”
Joining Connecticut in the agreement are Florida, Maine, Maryland, New Jersey, New York, North Carolina, Pennsylvania and Vermont.
Assistant Attorneys General Lorrie Adeyemi and Michele Lucan, members of the Attorney General’s Privacy Task Force, and Assistant Attorney General Matthew Fitzsimmons, head of the Task Force, assisted the Attorney General with this matter.
Office of the Attorney General:
Department of Consumer Protection:
Facebook: Attorney General George Jepsen