TD Bank will pay $625,000 after losing unencrypted back-up tapes containing personal information for more than 90,000 Massachusetts customers.
The bank delayed a notice of the incident to the Attorney General's Office, and impacted residents.
"Massachusetts data breach law requires businesses to provide notice of a data breach promptly," Martha Coakley said. "Businesses are required to secure the sensitive information that consumers entrust to them, and cannot subject consumers to unnecessary risk by failing to provide prompt notice when that information is compromised or lost."
Coakley's office alleges that in March 2012, the bank lost two unencrypted computer server backup tapes that were to be transported by a third-party courier from its Haverhill office to its Springfield office.
The latest news from around the state
Upon learning that the tapes had not arrived, TD Bank undertook an internal investigation to determine the content of the tapes and determined that the tapes may have included the names, addresses, Social Security numbers, account numbers, or other data elements such as date of birth or driver's license number, of Massachusetts residents. However, the bank did not notify Coakley's office.
To resolve the allegations, TD Bank has agreed to a settlement amount of $825,000. TD Bank will pay $325,000 in civil penalties, $75,000 in attorney's fees and costs, and $225,000 to a fund administered by the AG's Office to promote education or to fund local consumer aid programs. TD Bank has been credited $200,000 to reflect security measures and upgrades it has already taken following the incident. TD Bank cooperated with the AG's Office throughout the investigation.
The bank will also be required to take steps to strengthen its security practices.