TJX settles with government over data breach, avoids fines
More than a year after millions of T.J. Maxx and Marshalls customers found out their credit card information had been hacked into, the discount stores' operator agreed to have its information audited but avoided paying federal fines.
TJX Cos. was one of three firms that agreed to settle charges that each "failed to provide reasonable and appropriate security for sensitive consumer information," federal regulators said today in two unrelated data-breach decisions. A copy of the TJX settlement can be viewed here.
Data broker Reed Elsevier PLC and its Seisint subsidiary also avoided fines but have agreed to obtain third-party audits biennially for 20 years under a separate settlement with the Federal Trade Commission.
The agreements, which will be finalized after a 30-day public comment period, also require the companies to implement comprehensive information security programs.
"These cases bring to 20 the number of complaints in which the FTC has charged companies with security deficiencies in protecting sensitive consumer information," FTC Chairman Deborah Platt Majoras said in a release.
TJX said last March that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems. Court filings by banks that sued TJX estimated the number of cards affected at more than 100 million.
Sherry Lang, TJX's senior vice president for investor and public relations, said the company disagreed with the FTC's allegations, but agreed to the settlement "which is consistent with the agreements between the FTC and other retailers that have been victimized by cyber crime."
The Framingham, Mass.-based company's 2,500 stores include the T.J. Maxx and Marshalls chains.
"We have been at work for over a year implementing a comprehensive, improved information security program designed to protect the security, confidentiality and integrity of our customers' personal information," Lang said in a statement.
The FTC did not impose financial penalties against the companies because it lacks the authority to do so. The commission has asked Congress for such authority since 2005.
The breach is believed to have begun in mid-2005 but wasn't detected until December 2006. A judge on July 15 will consider whether to approve the settlement reached last September. The FTC said it coordinated its investigation of TJX with 39 state attorneys general, lead by Massachusetts.