|
Settlement reached with TJX Companies
| Article published on Tuesday, June 23, 2009 |
|
TALLAHASSEE – Attorney General Bill McCollum announced June 23 that Florida and 41 other states have reached a settlement with TJX Companies, Inc., the parent company of numerous retail chains, over allegations the company did not provide adequate data security for its customers.
TJX was the victim of a massive data breach in late 2006 which, according to company filings with the Securities and Exchange Commission, exposed personal identification information from potentially tens of millions of TJ Maxx, Marshalls, HomeGoods and A.J. Wright transactions. As part of the settlement, the company must implement major security requirements. Florida was one of the lead states in the multistate negotiations.
“Companies need to take the appropriate precautions to protect the data with which customers entrust them,” said McCollum.
TJX reported in January 2007 that its computer systems were hacked late in 2006 and customer data had been stolen. Company officials said the hackers broke into a system that manages credit and debit card transactions as well as checks and merchandise returns for customers throughout the United States and possibly elsewhere.
A multistate investigation was initiated to determine how the system was compromised, whether it could happen again, and what safeguards TJX was taking to prevent another major data breach. The investigation involved the review of thousands of documents to track the company’s internal data security operating system and uncovered a number of vulnerabilities and flaws in TJX’s data security systems.
The settlement ensures that TJX will employ a comprehensive “Information Security Program” that assesses internal and external risks to consumers’
personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. The company must also replace all wireless systems in TJX’s retail stores with wired systems, Wi-Fi Protected Access (WPA) systems, or wireless systems at least as secure as WPA because data breach into the system was in part blamed on the wireless system access.
Additionally, the company must conduct risk assessments in several areas of their daily business transactions and will be subject to certain compliance and reporting requirements to prevent another major data breach from impacting TJX customers.
In addition to the compliance standards and security measures, TJX will pay a total of $9.75 million to the participating states to reimburse the costs of the investigation. Of the $9.75 million, $5.5 million will be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation.
The remaining $2.5 million will fund a data security trust fund to be used by the state Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’
personal information. Florida’s share will be approximately $524,000.
Florida currently has 66 TJ Maxx stores, 71 Marshalls stores, 33 HomeGoods stores and three A.J. Wright stores.
The data breach also spawned at least one criminal operation, which involved the use of counterfeit gift cards purchased with stolen credit card data. The ring leader, Irving Escobar of Miami, coordinated the purchase of gift cards at Wal-Mart or Sam’s Club and then, with his co-defendants, redeemed the gift cards to purchase jewelry and electronic equipment – a modern-day version of money laundering.
Authorities estimated a total loss of $3 million could be attributed to Escobar and his co-defendants on a nationwide scale. He was arrested in March 2007 and was sentenced to five years in prison that September in a case prosecuted by the Attorney General’s Office of Statewide Prosecution.
Information about preventing and recovering from identity theft is available on the Attorney General’s Web site, myfloridalegal.com/identitytheft.
In addition to Florida, the following states participated in the settlement: Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia, Wisconsin, and the District of Columbia.
# # #
For an official, downloadable photograph, please visit http://www.myfloridalegal.com/picture.html. Also, follow the Attorney General's Office on Twitter! http://www.twitter.com/myfloridalegal
Please note that Florida has a broad public records law, and that all correspondence to me via email may be subject to disclosure.
 |
Article published on Tuesday, June 23, 2009
Copyright © Tampa Bay Newspapers: All rights reserved. |
