Home > News & Reports
Attorney General Mills Announces Multi-State Settlement with the TJX Companies, Inc Over Massive Data Breach
June 23, 2009
FOR IMMEDIATE RELEASE
Contact: Kate Simmons
ATTORNEY GENERAL MILLS ANNOUNCES MULTI-STATE SETTLEMENT WITH THE TJX COMPANIES, INC. OVER MASSIVE DATA BREACH
Maine to Receive $38,670.05 to Help Ensure Protection of Personal Data
AUGUSTA – Attorney General Janet T. Mills and with 40 other State Attorneys General announced a settlement with the TJX Companies, Inc. a Delaware-based company that owns TJ Maxx, Marshall’s and HomeGoods stores. The Assurance of Discontinuance between the parties resolves an investigation of TJX’s data security practices. The investigation focused on whether TJX had implemented sufficient safeguards to protect customers’ financial information against a massive data breach that placed thousands of consumers’ personal data at risk.
“It is critical for all companies who have access to customers’ personal financial information to have comprehensive protections in place to prevent that data from being compromised,” said Attorney General Janet T. Mills. “Anything less is unacceptable.”
TJX has agreed to pay $9.75 million to the states and to implement and maintain a comprehensive information security program to address weaknesses in TJX’s computer security systems that were in place at the time of the breach. Under the terms of the settlement, Maine will receive $38,675.00 to aid consumer protection enforcement and efforts to protect consumers’ personally-identifiable information.
In 2007, after TJX announced that certain persons had obtained unauthorized access to its computer systems and seized cardholder data and other personally identifiable information, the coalition of Attorneys General conducted an extensive investigation into TJX’s data security policies and procedures in place when the breach occurred.
That investigation uncovered a number of alleged vulnerabilities and flaws in TJX’s data security systems that may have allowed both the unlawful intrusion and its ability to continue undetected. Today’s settlement reflects the lessons learned from that data breach and requires TJX to implement an information security program designed to guard against future intrusions or unauthorized disclosures. The Assurance’s relief is the most comprehensive relief achieved to date following a data breach investigation.
This settlement ensures that TJX will employ a comprehensive “Information Security Program” that assesses risks to consumers’ personal information, implements safeguards to protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. TJX also will report regularly to the Attorneys General on the efficacy of its program and obtain a third-party assessment of its systems. Under the Information Security Program required by the Assurance, TJX must also:
• Upgrade all Wired Equivalency Privacy (“WEP’) based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access (“WPA”) wired systems;
• Delete credit card or debit card data from its network after that data has been used for legitimate business purposes.
• Use firewalls, access controls or other appropriate measures to separate areas of the TJX computer system that store, process or transmit personal information from network-based portions of the TJX computer system.
• Implement proper security password management for portions of the TJX computer system that store, process or transmit personal information.
Section IV of the Assurance sets forth the general and specific requirements of the Information Security Program required under the Assurance.
Of the $9.75 million monetary payment under the settlement, $5.5 million will be dedicated to data protection and consumer protection efforts by the states, and $1.75 million will be used to reimburse the Attorneys General for costs and fees of the investigation. The remaining $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the State Attorneys General to advance enforcement efforts and policy development in the field of data security and protection of consumers’ financial personal information.
The 41 States participating in today’s agreement are Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.