The Massachusetts AG Reaches Agreement With Bank Over Alleged Violations of the State’s Data Security Regulations


On July 28, 2011, the Massachusetts Attorney General (“AG”) entered into an agreement with a Massachusetts bank regarding alleged violations of the state’s data security regulation. Specifically, the Massachusetts AG entered into an Assurance of Discontinuance with the bank (in lieu of an enforcement action), in which the bank agreed to comply with the state’s data security regulations, as well as to pay a civil penalty of $7,500.

According to the Massachusetts AG’s press release, a bank employee left an unencrypted backup tape, containing, among other things, Social Security numbers and account numbers of Massachusetts residents, on a desk at the end of the work day, rather than storing the tape in a vault. Reportedly, surveillance footage showed that the backup tape then was inadvertently thrown away by the bank’s cleaning crew. The AG’s press release, however, indicates that ultimately the tape was likely to have been “incinerated” by the bank’s waste disposal company.

In its Assurance of Discontinuance, the Massachusetts AG alleged that this incident involved two violations of the state’s data security regulations. First, the AG alleged that the bank violated the regulations by “maintaining personal information on unencrypted backup data tapes.” Second, the AG alleged that the bank violated the regulations by “failing to follow its own Written Information Security Program . . . resulting in the improper handling and subsequent loss of a backup data tape.” The AG raised this second allegation even though neither the AG nor the bank had any information indicating that any personal information had been acquired or used by an unauthorized person.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.