Simply Security - News, Views, and Opinions from Trend Micro

Posted on October 15th, 2012 in Data Privacy by Simply Security | Be the first to comment | Tags: Data Privacy

Encryption can mitigate the damage of data loss.

The financial services sector has seen its share of data security scares during the past 18 months, yet it appears as though there is still some distance between best practices and standard practices when it comes to protecting customer accounts. Last week, TD Bank notified the Massachusetts Attorney General's Office to report that a set of unencrypted backup tapes had gone missing in transit.

The storage media contained personally identifiable information on approximately 73,000 Massachusetts-based customers, including names, addresses, dates of birth, driver's license numbers, Social Security numbers and transactional data. According to the Boston Herald, the tapes went missing during a routine shipment between banking facilities in March.

"We're not classifying it as a data breach because no data has been lost – the data is misplaced," TD Bank spokeswoman Rebecca Acevedo told the newspaper. "There has been no evidence that there's been any misuse of the data, and we've continued to vigilantly monitor our customers' accounts."

Nevertheless, the lack of encryption has has left the door open to doubts. As the Attorney General's Office continues its investigation into the matter, TD Bank will send out notices to nearly 270,000 potentially affected customers nationwide as a precaution. 

"It's ridiculous that the backup tapes are not encrypted," Application Security chief technology officer Josh Shaul told the Herald. "I don't think there's any excuse in the world for it. It certainly goes against what I would call best practice."

As a result of this incident, the financial institution can expect to pay the price on several fronts. Officials have already set up a hotline to answer the questions of concerned customers and will provide credit monitoring services to any individuals who believe their accounts may have been affected by the data protection oversight.

In addition to that expense, there is the cost of lost business to consider. Losing several hundred thousand customer records is not an issue that can be swept under the rug, Ponemon Institute chairman and founder Larry Ponemon told the Herald. By his estimates, the data security scare could cost TD Bank more than $42 million when all is said and done – or approximately $160 per compromised customer record.

The company could also be in unique danger of encountering regulatory sanctions following a series of rigorous data protection mandates implemented by Massachusetts legislators in 2010. According to the Worcester Business Journal, state law now authorizes the Attorney General to fine companies up to $5,000 per compromised record. Although the clause has rarely been invoked, one restaurant group already incurred a fine of more than $100,000 for its mishandling of customer data.

Data Security News from SimplySecurity.com by Trend Micro