Retail chain TJX, operator of TJ Maxx stores, has settled charges with 41 states, resolving a 2007 security breach that exposed thousands of customers' sensitive financial information.
The company was charges with failure to appropriately protect its customers' financial information and to guard against a massive data breach that placed thousands of consumers' personal data at risk, nationwide. TJX has agreed to pay $9.75 million to the states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address any weaknesses in TJX's systems in place at the time of the breach.
"Protecting consumers' personally-identifiable information is of paramount importance to prevent fraudulent use of credit and identity theft. All retailers and companies that hold or use personally-identifiable information must employ data security systems that guard against the improper disclosure or use of that information," said Massachusetts Attorney General Martha Coakley. "This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business. In addition to the monetary relief, this agreement requires TJX to implement and maintain a substantial data security program to ensure that this kind of data breach does not happen again."
In January 2007, TJX announced that certain persons had obtained unauthorized access to its computer systems enabling them to seize cardholder data and other personally identifiable information. A coalition of attorneys general conducted an extensive investigation into TJXs data security policies and procedures in place when the breach occurred.
That investigation concerned a number of alleged vulnerabilities in TJXs data security systems that may have facilitated the unlawful intrusion and allowed it to last undetected for an unacceptable duration. The settlement reflects the lessons learned from that breach and provides for an information security program designed to guard against future intrusions or unauthorized disclosures. The settlement's relief, in that regard, is the most comprehensive relief achieved to date following a data breach investigation.
The settlement ensures that TJX will employ a comprehensive "Information Security Program" that assesses internal and external risks to consumers' personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. TJX also will report regularly to the Attorneys General on the efficacy of its program, after obtaining a third-party assessment of its systems.
Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. Further, $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the state Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers personal information.
The 41 States participating in todays agreement are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.
