TD Bank has notified their customers of a data breach through the loss of a backup tape. Initial reports have said that the tapes contain the account information and Social Security numbers of more than 267,000 customers on the US East Coast. The tape was not encrypted so, while the bank is unaware of any misuse of the information, anyone who does obtain the tape could easily read the information it contains.
I was with some TD Bank customers the day the data breach was acknowledged. There were two comments made that I hear anytime a breach occurs so I wanted to share them to help you protect your brand image in the event of a data loss.
It took too long to notify customers of the data breach
The first comment the people I spoke with made was that six months was too long for the bank to notify customers that a data breach occurred. TD Bank has said that they were investigating the incident during this period. The customers I spoke with took the view that the bank either had the tape or they didn’t, so why did it take so long to be notified. The customers felt that the delay put their accounts at further risk as well as increasing their exposure to identity theft.
Notice of a data breach to your customers needs to be timely. The definition of timely rests on the perception of the customer. Any time beyond the customers’ perception of timely may be seen as the investigation not having been a priority or, as seen by the comments above, that you are putting the customers at additional risk.
The more complex a breach is perceived to be the more time customers will tolerate for notification. For example, an intrusion into your systems is perceived to take longer to investigate than something that has been misplaced.
More should have been done to protect against the data breach
Hindsight is 20/20 and we begin thinking “if only we had….”. Hopefully we wil learn from each others’ experiences and improve our own programs.
In this case more should have been done to protect the data. TD Bank has customers in Massachusetts. MA 201 CMR 17.00 provides standards of protection for personal information for residents of this commonwealth. Under this statute, the encryption of personal data that resides on portable devices is required. Personal information under the Massachusetts law includes financial account information or social security number in conjunction with first name or initial and last name. Massachusetts includes tapes as portable storage devices.
In my conversations with the bank’s customers they began to question the overall security procedures used in the bank’s data processing. This may be a large leap in thinking, but one that someone unfamiliar with IT practices may make.
Privacy professionals today recognize that for any organization it is not if a data breach will occur, but when will it occur. How the public perceives your communications about, response to, and the circumstances of the breach will have an impact on your brand image. Preparing a response plan before a data breach occurs is something every organization should do to minimize any impacts, including brand damage, that may occur.