A few days ago, it was reported that TD Bank had “misplaced” tapes used to backup customer data; the tapes were apparently lost in transit back in March.
Even more distressing than the fact that the tapes were lost is knowing that the data is unencrypted – customer names, social security numbers, and bank account information are all contained on the two missing tapes.
Followers of our blog, and those familiar with the Massachusetts data security law 201 CMR 17, will know that any data breach where the loss contains Personally Identifiable Information of Massachusetts residents can result in a fine of up to $5000 per record lost. It’s anticipated that 73,000 of the 267,000 records belonged to Massachusetts residents.
Let’s do the math, shall we?
At a max of $5000 per record, 73,000 records lost x $5000 = $365,000,000 potential fine.
Yes, that’s right, $365 million dollars. Under the Massachusetts laws, that’s the potential fine TD Bank could be facing.
These fines can be applied to any business that loses the PII of any Massachusetts individual, regardless of their location. If your business is in the NorthEast, odds are you have a number of MA residents in your client database, and if you’re collecting Personally Identifiable Information and storing the records together, you could very well be liable for any data theft or loss your business incurs.
For a business of any size, regardless if you have 2 employees or 200 or even 2000 employees, data loss WILL hurt your business’s bottom line in the aspect of potential fines and lost business. It’s anticipated that data loss will impact businesses to the tune of $12 billion dollars in lost revenue and productivity.
How can you help protect your business against data theft and loss? As you can see from the graph on the left, not all data loss is due to malicious theft; it could be something as simple as hardware failure or an employee forgetting to swap out the backup tapes on your network.
First, it’s VERY important to make sure your business has a Written Information Security Program (WISP). To help, we’ve put a copy of the WISP plan and guidelines developed by the Commonwealth of Massachusetts on our website. To download a copy, just click here.
Second, it’s critical to make sure your data is 1) being backed up daily, and 2) knowing the state of your backups at all times. We’ve found that smaller businesses aren’t proactive enough in making sure their data is being properly backed up. To help on that front, we offer our MegaBackup service that automatically backs up your data on a daily basis via the cloud to our secure data centers. Our software service runs on local PCs or servers, and will detect new or changed data since your last backup and automatically back it up offsite, using full encryption.
