Department of Consumer Protection and Department of Banking Announce Settlement with Bank of New York Mellon for 2008 Data Breach
February 3, 2009
HARTFORD, February 3 -- The Connecticut Department of Consumer Protection, the Connecticut Department of Banking, and Bank of New York Mellon have reached an agreement settling a 2008 identity breach that affected more than 600,000 Connecticut residents. An Assurance of Voluntary Compliance signed last week by the bank and the two agencies, on behalf of the State of Connecticut, has concluded and resolved the investigation of BNY Mellon for the loss of a backup tape containing personally identifiable information.
“This settlement puts closure on an issue that brought to light the crucial need for improved data security among businesses and organizations that collect, store and manage personal information,” Consumer Protection Commissioner Jerry Farrell, Jr. said. “We have learned a great deal from this event and I cannot minimize the potential disaster it engendered for many hard-working Connecticut residents. However, I do commend BNY Mellon for its cooperation with all phases of this investigation, and for its swift, broad corrective measures.”
“Of the estimated 640,994 Connecticut residents who may have been affected by the February 2008 tape loss, about 91,000 have signed up for the free Experian credit monitoring service being paid for by BNY Mellon,” Department of Banking Commissioner Howard Pitkin said. “We know that BNY Mellon has spent $3.48 million to provide credit protections for Connecticut residents following the data breach, and recognize that they are taking responsible action to minimize its impact to consumers.”
On February 27, 2008, a computer tape containing personal data on several hundred thousand Connecticut residents was lost during transport between BNY Mellon’s New Jersey facility and a third-party archive services vendor’s warehouse, also in New Jersey. When the breach became known in May, Governor M. Jodi Rell immediately directed Commissioner Farrell to pursue all remedies available for affected Connecticut residents.
BNY Mellon was directed to immediately notify each affected bank customer by mail, and to provide twenty-four months of credit protection for the financial accounts that might be affected by the data breach. In addition, BNY Mellon was presented and complied with numerous subpoenas from the Department of Consumer Protection concerning its actions before and after the data loss occurred.
During the investigation, BNY Mellon learned that data for an additional 135,000 Connecticut residents had been lost in the data breach. These individuals were notified in August and September of 2008. Credit protection was also made available by Bank of NY Mellon for financial accounts that might be affected.
Under this final agreement, BNY Mellon will provide an additional year of credit monitoring, for a total of 36 months of protection, to the individuals who were notified in August or September that their data had been breached back in February 2008. In addition, BNY Mellon will reimburse anyone from that group for any funds stolen from their accounts as a direct result of the data breach. Finally, the bank will pay $150,000 to the State of Connecticut General fund.