New Jersey Joins Multi-State Settlement with TD Bank Over Data Breach that Affected Thousands of Consumers
TRENTON - Acting Attorney General John J. Hoffman announced today that New Jersey and eight other states have entered into an $850,000 multi-state settlement agreement with TD Bank, N.A., that resolves a 2012 data breach and is designed to help ensure that future consumer privacy breaches do not occur.
New Jersey was part of a nine-state group that worked for a year-and-a-half to investigate the TD Bank breach, which affected thousands of TD customers, and to negotiate the Assurance of Voluntary Compliance agreement being announced today.
The states' investigation focused not only on the data breach, but on TD Bank's policies and procedures as well. The resulting settlement agreement resolves consumer protection and privacy claims against TD.
"All consumers â€“ and especially banking consumers -- have a reasonable expectation of privacy and protection when it comes to their information," said Acting Attorney General Hoffman. "This settlement agreement is important to New Jersey consumers because it will help to prevent future data breaches by ensuring that TD Bank reforms the policies and procedures that allowed this breach to happen."
In October 2012, authorities in Connecticut received notification from TD Bank of a data breach involving the loss of unencrypted back-up tapes in another state. The back-up tapes contained 1.4 million files in 1,800 different file types that had been accumulated over a period of eight-to-10 years. The files contained personal information belonging to some 260,000 TD Bank customers nationwide.
TD Bank subsequently notified affected customers about the data breach, offered free credit monitoring services, and cooperated fully with those who wished to transfer their funds to a new account. No consumers were held liable for any unauthorized use of their accounts (although there have been no reports of identity theft to date.)
New Jersey's share of the multi-state settlement is $103,760.
In addition to its monetary terms, the agreement announced today requires TD Bank to notify customers of any future breaches of security or other acquisitions of personal information in a timely manner. TD Bank also has agreed to maintain reasonable security policies to protect personal information.
The agreement ensures that no backup tapes will be transported unless they are encrypted and all security protocols have been observed. On a bi-annual basis, TD Bank will review its existing internal policies regarding the collection, storage and transfer of consumers' personal information and make changes to more adequately protect such information as needed. TD Bank also will institute further training relative to data and privacy protection for its employees.
In addition to New Jersey, states party to the TD Bank agreement include: Connecticut, Florida, Maine, Maryland, New York, North Carolina, Pennsylvania and Vermont.
Deputy Attorney General Alina Wells, assigned to the Division of Law's Consumer Fraud Prosecution Section, handled the TD Bank matter on behalf of the State.