TJX Settles With Feds
No Fines, But 20 Years of Audits Result from Data BreachRelated Story:Reaction to TJX Settlement: "A Very Light Slap on the Wrist" |
While no fines were levied, the FTC will require the retailer to implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years. The Framingham, MA-based company's 2,500 stores include the T.J. Maxx and Marshalls chains.
Last January, TJX revealed its computer servers had been hacked, and more than 45 million customer records were breached. (See: TJX Settlement)
Data broker Reed Elsevier PLC and its Seisint subsidiary also were cited for the same security failures and face the same punishment. (See FTC press release: Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data)
This is the second settlement TJX has made as a result of the largest consumer breach in history. The first settlement, with VISA, came last November and cost the retailer $40 million. (See TJX, Visa Agree to $40.9 Million Payout for Data Breach).
"By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," says FTC Chairman Deborah Platt Majoras in the FTC statement. The TJX settlement is the 20th case where the FTC has used its regulatory muscle to rein in security-deficient companies that don't protect sensitive consumer information.
Findings The FTC charges TJX failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks.
The FTC's investigation shows an intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX's stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores.
Banks and credit unions say millions in fraudulent charges were made on the breached cards, and the institutions were forced as a result of the breach to cancel or reissue millions of cards. A class action suit by state banking associations on behalf of banks ended in banks recouping some of the loss in part of TJX's settlement with VISA.
The FTC charges that TJX:
- Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
- Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
- Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
- Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
- Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.
The settlement with TJX requires it to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. The auditors will be required to certify that the companies' security programs meet or exceed the requirements of the settlement.
The FTC coordinated its investigation of TJX with 39 state Attorneys General, led by the office of the Massachusetts Attorney General.