Last fall I received a letter that I thought must be a scam, or a joke, or at the very least a mistake. It was from TD Bank, where I have a checking account, and it informed me that the bank had lost two data tapes containing the personal information of 260,000 customers while transporting them between storage locations. The letter went on to explain that the information contained on these tapes may include names, addresses, social security numbers, and account numbers, and that I was among the lucky 260,000 whose information was on those tapes.
The letter said that the data tapes had been lost in March, 2011. The letter was sent in October, 2012.
This must be a scam then! Someone was trying to scare me into calling the phone number provided, and divulging all my identifying information. There’s absolutely no way that any bank would keep such a massive data breach secret for seven months, I thought. That would mean seven months of identity thieves having their way with my data — distributing it all over the world, opening credit cards, buying cars, homes, other fun things that I would never be able to buy because they had ruined my credit. Think of the liability the bank would face! TD’s lawyers would never let the bank wait seven months to let me know about this. So I took to the Internet to find out. Other people must have been targeted by these scammers, too. The Internet would tell me all.
And it did. What I learned shocked me. This wasn’t a scam. This was real. TD had really waited seven (SEVEN!!) months (MONTHS!) to tell its customers about the data breach.
A desire for revenge began to eclipse my feeling of shock. This is going to be massive, I hoped. I could feel it. I could taste it. TD was going to get so sued. There would be a huge class action, and hey, maybe I’ll get a juicy cut of the payout.
Three months later, though, there’s still no suit. Deep in the lull between law school semesters, I decided to investigate why. Here’s what I found:
People’s personal information is being leaked all over the place these days, and TD Bank customers are far from the only victims. In other notable incidents in 2012, the South Carolina Department of Revenue’s database of taxpayers got hacked, compromising 3.6 million social security numbers and thousands of credit and debit card numbers, and hackers cracked into the credit card terminals at Barnes and Noble checkout counters, resulting in several incidents of identity theft.
Neither South Carolina nor Barnes and Noble waited as long as TD did (in case you haven’t been paying attention, that would be seven months) to inform those affected, though. After discovering the breaches, Barnes and Noble waited just over a month, and South Carolina even less, just over two weeks. Both claimed the delays were due to requests by law enforcement who said that making the breaches public could jeopardize ongoing investigations.
Compared with these brief delays, TD’s failure to inform us for seven months seems unconscionable. If we customers had known of the breach, we could have kept a closer eye on our statements, enrolled in a credit monitoring service, or transferred our funds to another bank! Instead, TD left us clueless for seven months. This had to be illegal.
I set out to find the law or laws that had been broken.
Although there is no federal law that addresses the problem posed by late notification yet, all states except Alabama, Kentucky, New Mexico, and South Dakota have state laws that do. But because many of these laws do not specify how long keeping a breach like I experienced is too long, companies that have our data enjoy a lot of slack as to when they must to notify you of the breach. By the time they do, the damage may have already been done.
For instance, California’s law, which was the first to be enacted by any state, in 2002, says that disclosure of a security breach should be “made in the most expedient time possible and without unreasonable delay.” Most states have adopted the same or similar language in their laws.
Now, seven months would seem to be to be an unreasonable delay but, from a legal standpoint, if you think that language is hopelessly vague, you’re right. We cannot know what an “unreasonable delay” is until a court says what it is, and that hasn’t happened yet, neither in California nor in any of the other states that have similar statutes.
There are exceptions embedded in many of these laws too, that allow companies to keep breaches secret for a long period of time, or not disclose them at all. In my home state of Connecticut, for instance, notification can be delayed if law enforcement determines that the notification “will impede a criminal investigation.” Disclosure does not need to be made at all if, after the law enforcement investigation, it is determined that the breach will not likely result in harm to the people whose information was taken. Disclosure is also not needed if the data is encrypted, even though encryption is not always effective.
A few states have more robust laws. Wisconsin, Florida, and Ohio mandate disclosure no later than 45 days after law enforcement gives the OK. Maine’s law is similar, and only allows seven days after a nod from law enforcement
To be fair, the laws that do not impose strict deadlines are probably not completely worthless. The mere threat of a lawsuit can encourage a quick disclosure, or lead to a settlement. But these settlements can be paltry, and leave the people whose information has been lost out in the cold. For example, in 2007, New York’s Attorney General settled with a company that lost the personal information of 540,000 New Yorkers, and didn’t disclose it for two months. The settlement terms: promises to impose better security measures and not wait so long to tell people about a breach in the future, and a $60,000 fine payable to the attorney general’s office.
Now where does the law leave me and the 259,999 other TD customers who were not informed of the data breach at the bank for seven months? This was seven months after all, triple the number of months, plus one, in the case that the New York Attorney General settled on.
Some litigation could be in the works, but because we don’t know why TD kept the breach secret for so long it’s tough to say with certainty whether TD will suffer consequences, meaningful or not. Keeping mum may have been due to a law enforcement request, which would likely absolve the bank of liability.
Even if a suit does go forward, I wouldn’t bank on a hefty payout. As I explain above, no court has ever concluded that one of these state laws has been broken. And as we see with that 2007 New York settlement, even monies in a settlement may not trickle down to you, the lowly customer.
Maybe the only way to punish TD is to show your disapproval with your feet, and change banks.
Here are some tips on doing just that.