DoJ: Attorney General J.B. Van Hollen Announces Multi-State Settlement with the TJX Companies, INC. Over Massive Data Breach

For More Information Contact:

Bill Cosh        608/266-1221


 


 


 


 


Today, Wisconsin Attorney General J.B. Van Hollen, together with 40 other State Attorneys General announced a settlement with the TJX Companies, Inc.  The Assurance of Discontinuance between the parties resolves an investigation concerning TJX’s data security practices and whether they adequately protected customers’ financial information and sufficiently guarded against a massive data breach that placed thousands of consumers’ personal data at risk, nationwide.  TJX has agreed to pay $9.75 million to the states and to implement and maintain a comprehensive information security program to address weaknesses in TJX’s computer security systems in place at the time of the breach.  Under the terms of the settlement, Wisconsin will receive $67,424.


“The Wisconsin Department of Justice is committed to help protect the privacy of the citizens of Wisconsin,” Van Hollen said.  “It is important that businesses and individuals stay vigilant in protecting personal identifying information where, as in this case, unscrupulous hackers work to gain access to the information.”


In 2007, after TJX announced that certain persons had obtained unauthorized access to its computer systems, the coalition of Attorneys General conducted an extensive investigation into TJX’s data security policies and procedures in place when the breach occurred.  That investigation uncovered a number of vulnerabilities and flaws in TJX’s data security systems.  The Assurance announced today reflects the lessons learned from the breach and requires TJX to implement an information security program designed to guard against future intrusions or unauthorized disclosures. 


The settlement ensures that TJX will employ a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards.  TJX also will report regularly to the Attorneys General on the efficacy of its program, after obtaining a third-party assessment of its systems.  Among other things, under the Information Security Program required by the Assurance, TJX must:


·        Upgrade all Wired Equivalency Privacy (“WEP’) based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access (“WPA”) wired systems;


·        Not store credit card or debit card data on its network, any longer than necessary for legitimate business purposes;


·        Appropriately segment from the rest of the TJX computer system those network-based portions of the TJX computer system that store, process or transmit personal information, by firewalls, access controls, and other appropriate measures; and


·        Implement proper security password management for portions of the TJX computer system that store, process or transmit personal information.


Section IV of the Assurance sets forth the general and specific requirements of the Information Security Program required under the Assurance.  


Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation.  The remaining $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the State Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information. 


The investigation was led by Massachusetts Attorney General Martha Coakley and an Executive Committee including the Attorneys General of Arkansas, California, Connecticut, Florida, Illinois, New Jersey, Ohio, Oregon, Pennsylvania, Tennessee and Vermont. 


The 41 States participating in today’s agreement are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.


Assistant Attorney General Nelle R. Rohlich represented the State.