The Massachusetts Attorney General’s Office and Belmont Savings Bank have agreed to resolve allegations that Belmont Savings Bank has violated the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) through an Assurance of Discontinuance, which has been filed in Massachusetts state court (see document here). Belmont Savings Bank has agreed to pay a civil penalty of $7,500 and has also agreed to institute new security and training procedures following a breach in May 2011, when an employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General’s Office, was likely incinerated by the bank’s waste disposal company.
While there is no evidence indicating that any customer’s personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose, the Assurance of Discontinuance states that if actual harm to customers results, the Attorney General’s Office will reopen discussions in order to determine appropriate restitution. This is the first settlement related to a violation of the Commonwealth’s relatively new data security regulations. While the Attorney General’s Office entered into a consent agreement with a restaurant chain in April 2011 for data security failures, that alleged breach occurred before the new data security regulations went into effect on March 1, 2010. (See our post about this consent agreement here.)
Importantly, Belmont Savings Bank did have a written information security program (WISP) in place at the time of the breach, as required by Massachusetts’s data security regulations. Despite this, the Assurance of Discontinuance requires Belmont Savings Bank to comply with Massachusetts’s data security regulations in all respects, including encrypting, to the extent technically feasible, all personal information stored on laptops and other portable devices, including backup tapes. In addition, the Assurance of Discontinuance requires Belmont Savings Bank to comply with the provisions of its own WISP, including (a) ensuring the proper transfer and inventory of backup tapes containing personal information; (b) storing backup tapes containing personal information in a secure location; and (c) effectively training the members of its workforce on the policies and procedures with respect to maintaining the security of personal information.
What message is the Attorney General sending? Complying with the Massachusetts data security regulations on paper alone is not enough. Day-to-day business practices must also be in compliance. Indeed, Attorney General Coakley commented: "Consumers expect businesses to not only develop policies and procedures to safeguard their sensitive personal information, but to follow these procedures as well. Our office will continue to take action against companies that fail to follow protocol to protect the information entrusted to them by customers."