Bureau of Financial Institutions

• Home
• About us
• Consumer information and services
• Industry services
• Payroll processors
• Mortgage companies and brokers (Office of Consumer Credit)
• Supervised lenders (Office of Consumer Credit)
• Laws, rules, bulletins and advisory rulings

• Department of Professional & Financial Regulation

OTHER PFR AGENCIES

• Professional Licensing
• Consumer Credit Regulation
• Insurance Regulation
• Securities & Investment Regulation

Bureau of Financial Institutions Issues Report Examining Impact of Data Breaches on Maine Banks and Credit Unions

December 19, 2008

 

Contact:	Lloyd LaFountain III
Phone:

 

Augusta -

GARDINER, MAINE – The Bureau of Financial Institutions has released a first-of-its-kind report examining the impact of data security breaches on Maine banks and credit unions. The “Maine Data Breach Study” identifies the various consumer protection steps taken by financial institutions in the aftermath of a breach and highlights the costs associated with breaches. “This study reveals the impact a large-scale data breach has on Maine banks, credit unions and their customers,” Bureau of Financial Institutions’ Superintendent Lloyd P. LaFountain, III commented. “The cost to banks and credit unions—in terms of financial and staffing resources—can be substantial.” Since January 1, 2007, there have been two major data breaches affecting Maine’s financial institutions: the TJX (a corporation owning TJMaxx, Marshalls, HomeGoods, and other retailers) data breach which became known to banks and credit unions in January 2007, and the Hannaford Bros. Co. data breach which became known to banks and credit unions in March 2008.
Superintendent LaFountain reported that seventy-five financial institutions responded to a Bureau survey (50 credit unions and 25 banks). Of the 75 respondents, 71 reported being affected by at least one data breach since January 1, 2007 and incurring combined expenses totaling approximately $2.1 million. The Hannaford breach had the largest impact, affecting the most institutions (71), impacting the highest number of affected account holders (243,599), and having the largest dollar cost ($1.6 million). IMPACT SUMMARY TJX Hannaford Other Total Institutions Affected 52 71 18 71 Accounts Affected 64,825 243,599 8,008 316,432 Cards Reissued 54,737 186,885 4,857 246,479 Estimated Cost $485,245 $1,595,444 $62,760 $2,143,450

The survey results identified four categories borne by banks and credit unions; the costs associated with investigation, communication, reissueance and net fraud. EXPENSE SUMMARY

TJX Hannaford Other Total $ % $ % $ % $ % Investigation 71.6 14.8 184.9 11.6 13.4 21.3 269.9 12.6 Communication 72.6 15.0 218.6 13.7 13.2 21.1 304.5 14.2 Reissuance 285.1 58.8 859.5 53.9 19.5 31.1 1,164.2 54.3 Net Fraud 36.2 7.5 299.5 18.8 0.4 0.6 336.1 15.7 Other 19.6 4.0 32.9 2.1 16.2 25.9 68.8 3.2 TOTAL 485.2 100.0 1,595.4 100.0 62.8 100.0 2,143.5 100.0 $ in thousands

For the TJX breach, 49 of the 52 affected institutions reported a Reissuance Expense, ranging from a low of $60 to a high of $32,146. For the Hannaford breach, 70 of the 71 affected institutions reported a Reissuance Expense, ranging from a low of $250 to a high of $58,278.

REISSUANCE EXPENSE

TJX Hannaford Number of Institutions Affected 52 71 Number of Institutions Reporting Expenses 49 70 Highest Expense Reported by Single Institution $32,146 $58,278 Lowest Expense Reported by Single Institution $60 $250 Highest Individual 11.3% 6.8% Top 5 42.9% 24.7%

There was only one report of a data breach actually occurring within a financial institution since January 1, 2007. Pursuant to 10 M.R.S.A. Chapter 210-B, this financial institution notified the Bureau of this breach shortly after it occurred and took all other appropriate actions. The number of accounts, customers or cards affected at each financial institution was generally proportionate to the financial institution’s total assets (i.e., the smaller the financial institution’s assets, the lower the number of accounts affected). With respect to the TJX breach, the lowest number of accounts affected at an individual financial institution was 26 and the highest number was 5,460. With respect to the Hannaford breach, the lowest number was 95 and the highest was 22,094. Without exception, every financial institution that was affected by both the TJX breach and the Hannaford breach reported a greater number of accounts affected by the Hannaford breach. For many financial institutions, a decision was made to re-issue all customer cards. In a minority of cases, financial institutions provided their customers with the option of having their cards replaced. Only after customers notified the financial institution that they wished to have their card replaced was the old card blocked (or “soft carded”). Otherwise, the decision to replace cards was made unilaterally by the financial institutions. Any reporting of unauthorized or fraudulent activity on accounts was followed up by manual reviews of those accounts to verify whether or not unauthorized or fraudulent activity took place.

The majority of financial institutions reported no unauthorized or fraudulent transfers. Of the 71 affected financial institutions, 25 reported unauthorized or fraudulent transfers. In one case, the unauthorized activity involved only one account and, in most instances, fewer than 25 accounts. In another case, however, the number of accounts which may have been subject to fraudulent transfers due to the breach was 265, and the amount subject to unauthorized or fraudulent transactions was reported to have been $75,000.

The Bureau of Financial Institutions was charged by the 123rd Legislature to study the impact of data security breaches on Maine banks and credit unions since January 1, 2007. The study sought information about financial institutions’ actions and expenses as a result of such breaches. The focus of the study was on breaches reportable under Maine’s new data breach law known as the Notice of Risk to Personal Data Act (10 M.R.S.A. §1346).

The study was prepared in consultation with the Maine Credit Union League, the Maine Association of Community Banks, the Maine Bankers Association, and the New England Financial Services Association. A copy of the report can be found on the Bureau’s website at www.maine.gov/pfr/financialinstitutions. A copy can also be obtained by calling 1-800-965-5235 (toll free in Maine) or 207-624-8570.

The Bureau of Financial Institutions is part of the Maine Department of Professional and Financial Regulation, which encourages sound ethical business practices through impartial and efficient regulation of insurers, financial institutions, creditors, investment providers, and numerous professions and occupations for the purpose of protecting the citizens of Maine. Consumers can reach the Bureau through the Department’s website (www.maine.gov/pfr); by calling 1-800-965-5235 or by writing to Bureau of Financial Institutions, 36 State House Station, Augusta, Maine 04333.

#

Consumer Tools

• Who We Regulate
• File a Complaint
• Financial FAQs
• Helpful Links

Industry Tools

• eFile (Extranet)
• Application Forms
• Interest on Escrow Accounts
• Reports & Statistics
• Chartering a New Financial Institution
• Orders and Certificates
• Laws, Rules, Bulletins and Advisory Rulings
• Notices to Interested Parties
• Industry Links

Featured

• Announcing: Secure Email
• Strategic Plan
• Credit Reports and Identity Theft Brochure
• Venture into Maine

Maine.gov | Professional and Financial Regulation | Privacy | Accessibility | Disclaimer