Bank confirms tape with info on 12 million customers of its shareowner services unit is unaccounted for; fines, lawsuits possible
By Matthew Scott
September 2, 2008
A security breach that occurred at the Bank of New York Mellon earlier this year turned out to be three times as large as it initially reported, the bank revealed last Thursday.
The breach involved the loss of unencrypted computer back-up tapes that contained confidential information about 12 million customers of the bank’s shareholder services unit, rather than the 4 million it originally announced. That could triple the company’s cost of dealing with the problem and potentially expand its liability.
In a statement, Bank of New York Mellon said it was in the process of notifying all the customers affected by the breach, as required by the Personal Data Privacy and Security Act of 2007. It is also paying for credit monitoring services and identity theft insurance for affected customers.
“We are actively engaged in a top-to-bottom review of our security policies and procedures,” Brian Rogan, the bank’s chief risk officer, said in a statement. “We are taking the steps necessary to ensure we have industry-leading security measures in place across all of our businesses.”
The security breach occurred when the unencrypted back-up tapes were being transported to a storage facility operated by third-party vendor Archive Systems. The tapes, which included Social Security numbers, names, addresses and dates of birth, went missing on Feb. 27. The bank maintains that there is no evidence that information on the tape has been accessed or misused in any way.
Robert Scott, managing partner of Scott & Scott, a law and technology services firm, said that because Bank of New York Mellon is a financial services firm that is regulated by federal agencies, there may be more potential problems that arise from this breach.
“There is a different legal landscape when you deal with a federal regulated entity as opposed to a retail business,” Mr. Scott said, noting that banks must meet standards set by the Office of the Comptroller of the Currency, while investment advisory firms must meet standards set by the Securities and Exchange Commission when it comes to security breaches.
He said in this case, if it is found that there was a failure to comply with the rules pertaining to data breach, federal agencies could bring legal actions or fines against the Bank of New York Mellon, in addition to any lawsuits filed by state attorney generals and customers who are harmed.
Since there are no set penalties for failing to safeguard customer data, the amount of liability for the company is very open-ended.
“The legal landscape involving data breaches is very much in flux,” said Mr. Scott.
Corporations in the financial services and health-care industries are particularly vulnerable to data breaches involving back-up tapes, he said. Mr. Scott advises companies to purchase network security and privacy insurance to cover the cost of any actions taken by state and federal agencies and the cost of notifying customers, as well as customer losses.