A DISCUSSION OF LAW AND JOURNALISM

Seven Months!

Bill shock

By Will Bartholomew

Last fall I received a letter that I thought must be a scam, or a joke, or at the very least a mistake. It was from TD Bank, where I have a checking account, and it informed me that the bank had lost two data tapes containing the personal information of 260,000 customers while transporting them between storage locations. The letter went on to explain that the information contained on these tapes may include names, addresses, social security numbers, and account numbers, and that I was among the lucky 260,000 whose information was on those tapes.

The letter said that the data tapes had been lost in March, 2011. The letter was sent in October, 2012.

This must be a scam then! Someone was trying to scare me into calling the phone number provided, and divulging all my identifying information. There’s absolutely no way that any bank would keep such a massive data breach secret for seven months, I thought. That would mean seven months of identity thieves having their way with my data — distributing it all over the world, opening credit cards, buying cars, homes, other fun things that I would never be able to buy because they had ruined my credit. Think of the liability the bank would face! TD’s lawyers would never let the bank wait seven months to let me know about this. So I took to the Internet to find out. Other people must have been targeted by these scammers, too. The Internet would tell me all.

And it did.  What I learned shocked me. This wasn’t a scam. This was real. TD had really waited seven (SEVEN!!) months (MONTHS!) to tell its customers about the data breach.

A desire for revenge began to eclipse my feeling of shock. This is going to be massive, I hoped. I could feel it. I could taste it. TD was going to get so sued. There would be a huge class action, and hey, maybe I’ll get a juicy cut of the payout.

Three months later, though, there’s still no suit. Deep in the lull between law school semesters, I decided to investigate why. Here’s what I found:

People’s personal information is being leaked all over the place these days, and TD Bank customers are far from the only victims. In other notable incidents in 2012, the South Carolina Department of Revenue’s database of taxpayers got hacked, compromising 3.6 million social security numbers and thousands of credit and debit card numbers, and hackers cracked into the credit card terminals at Barnes and Noble checkout counters, resulting in several incidents of identity theft.

Neither South Carolina nor Barnes and Noble waited as long as TD did (in case you haven’t been paying attention, that would be seven months) to inform those affected, though. After discovering the breaches, Barnes and Noble waited just over a month, and South Carolina even less, just over two weeks. Both claimed the delays were due to requests by law enforcement who said that making the breaches public could jeopardize ongoing investigations.

Compared with these brief delays, TD’s failure to inform us for seven months seems unconscionable. If we customers had known of the breach, we could have kept a closer eye on our statements, enrolled in a credit monitoring service, or transferred our funds to another bank! Instead, TD left us clueless for seven months. This had to be illegal.

I set out to find the law or laws that had been broken.

Although there is no federal law that addresses the problem posed by late notification yet, all states except Alabama, Kentucky, New Mexico, and South Dakota have state laws that do. But because many of these laws do not specify how long keeping a breach like I experienced is too long, companies that have our data enjoy a lot of slack as to when they must to notify you of the breach. By the time they do, the damage may have already been done.

For instance, California’s law, which was the first to be enacted by any state, in 2002, says that disclosure of a security breach should be “made in the most expedient time possible and without unreasonable delay.” Most states have adopted the same or similar language in their laws.

Now, seven months would seem to be to be an unreasonable delay but, from a legal standpoint, if you think that language is hopelessly vague, you’re right. We cannot know what an “unreasonable delay” is until a court says what it is, and that hasn’t happened yet, neither in California nor in any of the other states that have similar statutes.

There are exceptions embedded in many of these laws too, that allow companies to keep breaches secret for a long period of time, or not disclose them at all. In my home state of Connecticut, for instance, notification can be delayed if law enforcement determines that the notification “will impede a criminal investigation.” Disclosure does not need to be made at all if, after the law enforcement investigation, it is determined that the breach will not likely result in harm to the people whose information was taken. Disclosure is also not needed if the data is encrypted, even though encryption is not always effective.

A few states have more robust laws. Wisconsin, Florida, and Ohio mandate disclosure no later than 45 days after law enforcement gives the OK. Maine’s law is similar, and only allows seven days after a nod from law enforcement

To be fair, the laws that do not impose strict deadlines are probably not completely worthless. The mere threat of a lawsuit can encourage a quick disclosure, or lead to a settlement. But these settlements can be paltry, and leave the people whose information has been lost out in the cold. For example, in 2007, New York’s Attorney General settled with a company that lost the personal information of 540,000 New Yorkers, and didn’t disclose it for two months. The settlement terms: promises to impose better security measures and not wait so long to tell people about a breach in the future, and a $60,000 fine payable to the attorney general’s office.

Now where does the law leave me and the 259,999 other TD customers who were not informed of the data breach at the bank for seven months? This was seven months after all, triple the number of months, plus one, in the case that the New York Attorney General settled on.

Some litigation could be in the works, but because we don’t know why TD kept the breach secret for so long it’s tough to say with certainty whether TD will suffer consequences, meaningful or not. Keeping mum may have been due to a law enforcement request, which would likely absolve the bank of liability.

Even if a suit does go forward, I wouldn’t bank on a hefty payout. As I explain above, no court has ever concluded that one of these state laws has been broken. And as we see with that 2007 New York settlement, even monies in a settlement may not trickle down to you, the lowly customer.

Maybe the only way to punish TD is to show your disapproval with your feet, and change banks.

Here are some tips on doing just that.

Comments

4 Comments »

4 Responses

  1. PII says:

    (NOT INTENDED TO BE LEGAL ADVICE, THERE ARE MY THOUGHTS)

    Thoughtful analysis that could be strengthened if other factors and angles are considered.

    1. Transport of data tapes should have policy and procedures to guide off-site or on-site storage. A recent 1st Cir. case addressed the reasonableness of security protocols–granted, that case was a theft of funds matter, but the principles analyzing the issue could apply here.

    2. When law enforcement does need confidentiality, there are usually requests from bank counsel to the prosecutor confirming or requesting if confidentiality is still needed, and this is usually repeated. As such, the bank here should have records of such exchanges, the content of which may not be subject to discovery nor the agency investigating would be disclosed, but the admission that there were such communications to enforce the safe harbor, is a fair response and needed for assertion of an affirmative defense by the financial institution.

    3. Damages in data breach cases are very hard to establish, consequently, most cases are dismissed. And now with the Dukes case, customers who were harmed could be harmed in different ways, but there is a way to plead around this if enough thought is put into it.

    As a side note, this is not good customer service. All these accounts should have been monitored for suspicious activity in that seven month period, so a consumer who was harmed could know right away. This could have been done but would likely not be disclosed by the financial institution.

  2. wayne says:

    I am one of the many on these tapes. My data has already been used illegally. I would think that they could be sued on the grounds that the tapes were mishandled. I now have become a victim of identity theft due to negligence on the banks part.

  3. Ryan says:

    I to am one of the people affected and if you are woundering why I am just reading this it is because I did not recive my letter from the bank until March 2nd of 2013……. ONE YEAR LATER!!!!!

  4. DRF says:

    Just a small correction, the LinkedIN passwords were not encrypted but rather hashed and the hashing was done in a very bad way.
    Had the passwords been encrypted there would have been no leaks unless the key to the encryption had been stolen along with it.

    In my opinion if the tapes that were stolen were not encrypted this should constitute reckless or even willful negligence on the part of the bank given today’s knowledge and the fairly small cost of such security precautions. I’m afraid this might still be hard to argue in court given the way the Aurenheimer case has been decided, but then again I suppose reckless negligence on the part of a company is not a defense if you are the one who is accused of circumventing the protection. I’m not sure that the customers affected in that case sued AT&T which would be the more interesting opinion from this point of view.

Leave a Reply


2 × = eight