Attorney General Long Announces Multi-State Settlement with TJX Companies, Inc. Over Massive Data Breach
PIERRE, S.D -Attorney General Larry Long, together with 40 other State Attorneys General announced a settlement with the TJX Companies, Inc. The Assurance of Voluntary Compliance between the parties resolves an investigation concerning TJX’s data security practices and whether they adequately protected customers’ financial information and sufficiently guarded against a massive data breach that placed thousands of consumers’ personal data at risk, nationwide. TJX has agreed to pay $9.75 million to the states and to implement and maintain a comprehensive information security program to address weaknesses in TJX’s computer security systems in place at the time of the breach. Under the terms of the settlement, South Dakota will receive $16,690 to aid consumer protection enforcement and efforts to protect consumers’ personally-identifiable information. TJX cooperated fully in the States’ investigation.
In 2007, after TJX announced that certain persons had obtained unauthorized access to its computer systems enabling them to seize cardholder data and other personally identifiable information, the coalition of Attorneys General conducted an extensive investigation into TJX’s data security policies and procedures in place when the breach occurred. That investigation uncovered a number of vulnerabilities and flaws in TJX’s data security systems that facilitated the unlawful intrusion and allowed it to last undetected for an unacceptable duration. Today’s settlement reflects the lessons learned from that data breach and requires TJX to implement an information security program designed to guard against future intrusions or unauthorized disclosures.
The settlement ensures that TJX will employ a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. Among other things, under the Information Security Program required by the Assurance, TJX must:
- Upgrade all Wired Equivalency Privacy (“WEP’) based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access (“WPA”) wired systems;
- Not store credit card or debit card data on its network, any longer than necessary for legitimate business purposes;
- Appropriately segment from the rest of the TJX computer system those network-based portions of the TJX computer system that store, process or transmit personal information, by firewalls, access controls, and other appropriate measures; and
- Implement proper security password management for portions of the TJX computer system that store, process or transmit personal information.
For additional information on this settlement please contact the South Dakota Consumer Protection Division at 1-800-300-1986.