(Phoenix, Ariz. – June 23, 2009) Attorney General Terry Goddard, along with 40 other state Attorneys General, today announced a $9.75 million nationwide settlement with TJX Companies, Inc. (TJX), which owns retailers TJ Maxx, HomeGoods, A.J. Wright and Marshalls stores.
The agreement concerns a massive data breach that placed thousands of TJX’s consumers’ personal data at risk. The victims of the breach included 600 Arizonans.
In addition to the financial settlement, TJX has agreed to implement a comprehensive information security program to safeguard consumer data and address weaknesses in its computer security systems.
In 2007, unauthorized individuals obtained access to TJX’s computer systems and seized cardholder data and other personally identifiable information. A multi-year investigation into the breach conducted by the Attorneys General examined TJX’s data security policies and procedures in place when the breach occurred. That investigation identified a number of potential vulnerabilities in TJX’s data security systems that may have facilitated the unlawful intrusion.
According to the settlement, TJX will employ a comprehensive “Information Security Program” that assesses internal and external risks to consumers’ personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. TJX also will regularly obtain third-party assessments of its security systems and report to the Attorneys General on the efficacy of its program. Among other things, TJX must:
- Upgrade all Wired Equivalency Privacy (“WEP’) based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access (“WPA”) wired systems.
- Not store credit card or debit card data on its network any longer than necessary for legitimate business purposes.
- Appropriately segment from the rest of the TJX computer system those network-based portions of the TJX computer system that store, process or transmit personal information, by firewalls, access controls, and other appropriate measures.
- Implement proper security password management for portions of the TJX computer system that store, process or transmit personal information.
Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. The remaining $2.5 million will fund a Data Security Trust Fund to be used by the Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information.
The 41 states participating in today’s agreement are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin and the District of Columbia.
Assistant Attorney General Cherie Howe handled this case.
For additional information, contact Anne Hilby at (602) 542-8019.