STAFF REPORT

The state's Bureau of Financial Institutions has released a report examining the impact of data security breaches on Maine banks and credit unions.

The "Maine Data Breach Study" identifies the various consumer protection steps taken by financial institutions in the aftermath of a breach and highlights the costs associated with breaches.

"This study reveals the impact a large-scale data breach has on Maine banks, credit unions and their customers," Bureau Superintendent Lloyd P. LaFountain III said in a release.

"The cost to banks and credit unions -- in terms of financial and staffing resources -- can be substantial." Since Jan. 1, 2007, there have been two major data breaches affecting Maine's financial institutions:

• The TJX data breach that became known to banks and credit unions in January 2007. TJX owns TJMaxx, Marshalls, HomeGoods and other retailers.

• The Hannaford Bros. Co. breach, which became known to banks and credit unions in March 2008.

LaFountain reported that 75 financial institutions responded to a Bureau survey (50 credit unions and 25 banks). Of the 75 respondents, 71 reported being affected by at least one data breach since Jan. 1, 2007, and incurring combined expenses totaling approximately $2.1 million.

The Hannaford breach had the largest impact, affecting the most institutions (71), impacting the highest number of affected account holders (243,599), and having the largest dollar cost ($1.6 million).

The majority of the state's financial institutions reported no unauthorized or fraudulent transfers. Of the 71 affected financial institutions:

• 25 reported unauthorized or fraudulent transfers.

• In one case, the unauthorized activity involved only one account and, in most instances, fewer than 25 accounts.

• In another case, however, the number of accounts that may have been subject to fraudulent transfers due to the breach was 265, and the amount subject to unauthorized or fraudulent transactions was reported to have been $75,000.