TRENTON
– Attorney General Anne Milgram announced
today that New Jersey has entered into a multi-state
settlement with TJX Companies, Inc. that resolves
an investigation into the discount retailer’s
data storage and data security practices.
The multi-state investigation was launched
after two large-scale incidents in which customer
data – including credit card information
– was accessed by hackers.
Under
terms of the settlement TJX, which operates
such popular off-price retail outlets as TJ
Maxx, Marshalls and HomeGoods, has agreed
to pay the participating states a total of
$9.75 million. New Jersey, one of 11 states
to serve on the multi-state group’s
Executive Committee will receive $431,609.
In
addition to the payments, TJX has agreed to
install and maintain a comprehensive Information
Security Program that assesses internal and
external risks to consumers’ personal
data, provides safeguards designed to protect
that data, and regularly monitors and tests
the effectiveness of those safeguards. The
security program must be in place within 120
days of the settlement agreement’s effective
date. TJX must also obtain a third-party assessment
of its Information Security Program and report
regularly to the states on the program’s
performance.
“This
is an important settlement, because it requires
TJX to upgrade and strengthen its data security
systems to a level commensurate with the size
and complexity of its operations,” said
Attorney General Milgram. “TJX is a
major national and international retailer,
and consumers who shop at its various stores
should be able to do so with confidence that
their credit card and other personal information
is protected.”
In 2007, TJX announced that intruders had
obtained unauthorized access to its computer
systems in the two previous years, enabling
them to seize cardholder data and other personal
identifying information.
Specifically,
the company disclosed that hackers had successfully
intruded on data stored in the main server
at TJX’s Framingham, Mass. headquarters
between July and November 2005, obtaining
hundreds of thousands of names, addresses,
social security numbers, military ID numbers
and drivers’ license numbers.
The
company also disclosed that, between May and
December 2006, hackers had captured consumer
credit card data while it was in transit between
TJX stores and the authorizing banks. It was
estimated that at least 100 million credit
card transactions had been compromised by
the activity. There is no indication that
New Jersey consumers were the victims of actual
identity theft as a result of either breach.
In
the wake of the TJX announcement, a coalition
of Attorneys General conducted an extensive
investigation into data security policies
and procedures that had been in place at TJX
when the breaches occurred.
The
investigation uncovered a number of vulnerabilities
and flaws in TJX’s data security systems.
The
settlement announced today reflects lessons
learned from that investigation, and requires
TJX to implement an Information Security Program
designed to guard against future intrusions
or unauthorized disclosures.
Among
other things, the Information Security Program
must:
-
Upgrade all Wired Equivalency Privacy (“WEP’)
based wireless systems in TJX retail stores
to wired systems or Wi-Fi Protected Access
(“WPA”) wired systems;
-
Not store credit card or debit card data
on its network, any longer than necessary
for legitimate business purposes;
-
Appropriately isolate from the rest of the
TJX computer system those network-based
portions of the TJX computer system that
store, process or transmit personal information,
by firewalls, access controls, and other
appropriate measures; and
- Implement
proper security password management for
portions of the TJX computer system that
store, process or transmit personal information.
In
addition to New Jersey, the following states
participated in the settlement: Alabama, Arizona,
Arkansas, California, Colorado, Connecticut,
Delaware, Florida, Hawaii, Idaho, Illinois,
Iowa, Louisiana, Maine, Maryland, Massachusetts,
Michigan, Mississippi, Missouri, Montana,
Nebraska, Nevada, New Hampshire, New Mexico,
New York, North Carolina, North Dakota, Ohio,
Oklahoma, Oregon, Pennsylvania, Rhode Island,
South Dakota, Tennessee, Texas, Vermont, Washington,
West Virginia, Wisconsin and the District
of Columbia.
Along
with Attorney General Milgram, others participating
in the TJX Executive Committee included Attorneys
General from Arkansas, California, Connecticut,
Florida, Illinois, Ohio, Oregon, Pennsylvania,
Tennessee and Vermont.
Deputy
Attorney General Alina Wells, assigned to
the Division of Law’s Consumer Fraud
Prosecution Section, handled the TJX matter
on behalf of the state.
#
# # |