Attorney General Patrick C. Lynch announced that an Assurance of Voluntary Compliance (AVC) filed today in Providence County Superior Court resolves an investigation concerning the TJX Companies, Inc.’s data security practices and whether TJX adequately protected customers’ financial information and sufficiently guarded against a massive nationwide data breach that placed millions of consumers’ personal data at risk.

TJX, a Delaware corporation with its principal place of business in Framingham, MA, is the parent corporation of stores such as T.J. Maxx, Marshalls, Bob’s Stores, and HomeGoods operating in Rhode Island.

Lynch joined with Attorneys General of 40 other states in announcing the settlement with TJX. Under the terms of the settlement, TJX has agreed to pay $9.75 million to the states and to implement and maintain a comprehensive information security program to address weaknesses in TJX’s computer security systems in place at the time of the breach. Under the terms of the settlement, Rhode Island will receive $45,000 to aid consumer protection enforcement and efforts to protect consumers’ personal information. TJX cooperated fully in the states’ investigation.

“This settlement represents another one of this office’s actions to protect the residents of Rhode Island from those who seek to steal personal information for their own financial gain,” Lynch said. “Its terms require that TJX tighten up its procedures to prevent security breaches from placing its retail customers, including thousands in Rhode Island, at risk for identity theft. This settlement should also serve as another warning that we must be vigilant as to how we disseminate our personal information.”

Lynch proposed Rhode Island’s Identity Theft Protection bill that took effect on March 1, 2006, that requires any state agency or business, whether Rhode Island-based or not, to notify Rhode Island residents whose personal information or identities might be compromised by a security breach as quickly as possible.

In 2007, after TJX announced an unauthorized breach of its computer systems that enabled hackers to seize cardholder data and other person information, the coalition of Attorneys General conducted an extensive investigation into TJX’s data security policies and procedures in place when the breach occurred. The investigation uncovered a number of vulnerabilities and flaws in TJX’s data security systems that facilitated the unlawful intrusion and allowed it to go undetected for an unacceptable period of time. Today’s settlement requires TJX to implement an Information Security Program designed to guard against future intrusions or unauthorized disclosures. The AVC’s relief, in that regard, is the most comprehensive relief achieved to date following a data breach investigation.

Lynch said that the TJX’s Information Security Program assesses internal and external risks to consumers’ personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. TJX will also report on a regular basis to the Attorneys General on the efficacy of its program, after obtaining a third-party assessment of its systems. -MORE-

AG LYNCH ANNOUNCES SETTLEMENT WITH TJX JUNE 23, 2009 PAGE 2

Among other requirements placed on TJX by the AVC, through its Information Security Program, are:

· That TJX upgrades all Wired Equivalency Privacy-based (WEP) wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access (WPA) wired systems; · That TJX does not store credit card or debit card data on its network any longer than necessary for legitimate business purposes; · That TJX segregates from the rest of the TJX computer system those network-based portions of the TJX computer system that store, process, or transmit personal information, by firewalls, access controls, and other appropriate measures; and · That TJX implements proper security password management for portions of the TJX computer system that store, process, or transmit personal information.

Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is allocated to reimburse the costs and fees of the investigation. The remaining $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the Attorneys General to advance enforcement efforts and policy development in the field of data security and in protecting consumers’ personal information.

Lynch said that any Rhode Island resident who believes that personal information has been compromised should contact his Consumer Protection Unit at 274-4400.

# # #

Related links