TRENTON – New Jersey has entered into a multi-state settlement with TJX Companies, Inc. that resolves an investigation into the discount retailer’s data storage and data security practices, Attorney General Anne Milgram announced Tuesday. The multi-state investigation was launched after two large-scale incidents in which customer data – including credit card information – was accessed by hackers.
Under terms of the settlement TJX, which operates such popular off-price retail outlets as TJ Maxx, Marshalls and HomeGoods, has agreed to pay the participating states a total of $9.75 million. New Jersey, one of 11 states to serve on the multi-state group’s Executive Committee will receive $431,609.
In addition to the payments, TJX has agreed to install and maintain a comprehensive information security program that assesses internal and external risks to consumers’ personal data, provides safeguards designed to protect that data, and regularly monitors and tests the effectiveness of those safeguards. The security program must be in place within 120 days of the settlement agreement’s effective date. TJX must also obtain a third-party assessment of its Information Security Program and report regularly to the states on the program’s performance.
“This is an important settlement, because it requires TJX to upgrade and strengthen its data security systems to a level commensurate with the size and complexity of its operations,” said Milgram. “TJX is a major national and international retailer, and consumers who shop at its various stores should be able to do so with confidence that their credit card and other personal information is protected.”
In 2007, TJX announced that intruders had obtained unauthorized access to its computer systems in the two previous years, enabling them to seize cardholder data and other personal identifying information.
Specifically, the company disclosed that hackers had successfully intruded on data stored in the main server at TJX’s Framingham, Mass. headquarters between July and November 2005, obtaining hundreds of thousands of names, addresses, social security numbers, military ID numbers and drivers’ license numbers.
The company also disclosed that, between May and December 2006, hackers had captured consumer credit card data while it was in transit between TJX stores and the authorizing banks. It was estimated that at least 100 million credit card transactions had been compromised by the activity. There is no indication that New Jersey consumers were the victims of actual identity theft as a result of either breach.
In the wake of the TJX announcement, a coalition of attorneys general conducted an extensive investigation into data security policies and procedures that had been in place at TJX when the breaches occurred.
The investigation uncovered a number of vulnerabilities and flaws in TJX’s data security systems.
The settlement announced this week requires TJX to implement an Information Security Program designed to guard against future intrusions or unauthorized disclosures.
Among other things, the Information Security Program must:
• Upgrade all Wired Equivalency Privacy (“WEP’) based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access (“WPA”) wired systems;
• Not store credit card or debit card data on its network, any longer than necessary for legitimate business purposes;
• Appropriately isolate from the rest of the TJX computer system those network-based portions of the TJX computer system that store, process or transmit personal information, by firewalls, access controls, and other appropriate measures; and
• Implement proper security password management for portions of the TJX computer system that store, process or transmit personal information.
In addition to New Jersey, the following states participated in the settlement: Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin and the District of Columbia.
Connect with NJTODAY.NET
Join NJTODAY.NET's free Email List to receive occasional updates delivered right to your email address!