Interviews
News Flash
New Jersey AG enters into multi-state settlement with TJX Companies
24 Jun '09
4 min read
Attorney General (AG) Anne Milgram announced that New Jersey has entered into a multi-state settlement with TJX Companies, Inc. that resolves an investigation into the discount retailer's data storage and data security practices. The multi-state investigation was launched after two large-scale incidents in which customer data – including credit card information – was accessed by hackers.
Under terms of the settlement TJX, which operates such popular off-price retail outlets as TJ Maxx, Marshalls and HomeGoods, has agreed to pay the participating states a total of $9.75 million. New Jersey, one of 11 states to serve on the multi-state group's Executive Committee will receive $431,609.
View settlement agreement
In addition to the payments, TJX has agreed to install and maintain a comprehensive Information Security Program that assesses internal and external risks to consumers' personal data, provides safeguards designed to protect that data, and regularly monitors and tests the effectiveness of those safeguards. The security program must be in place within 120 days of the settlement agreement's effective date. TJX must also obtain a third-party assessment of its Information Security Program and report regularly to the states on the program's performance.
“This is an important settlement, because it requires TJX to upgrade and strengthen its data security systems to a level commensurate with the size and complexity of its operations,” said Attorney General Milgram. “TJX is a major national and international retailer, and consumers who shop at its various stores should be able to do so with confidence that their credit card and other personal information is protected.”
In 2007, TJX announced that intruders had obtained unauthorized access to its computer systems in the two previous years, enabling them to seize cardholder data and other personal identifying information.
Specifically, the company disclosed that hackers had successfully intruded on data stored in the main server at TJX's Framingham, Mass. headquarters between July and November 2005, obtaining hundreds of thousands of names, addresses, social security numbers, military ID numbers and drivers' license numbers.
The company also disclosed that, between May and December 2006, hackers had captured consumer credit card data while it was in transit between TJX stores and the authorizing banks. It was estimated that at least 100 million credit card transactions had been compromised by the activity. There is no indication that New Jersey consumers were the victims of actual identity theft as a result of either breach.
In the wake of the TJX announcement, a coalition of Attorneys General conducted an extensive investigation into data security policies and procedures that had been in place at TJX when the breaches occurred.
The investigation uncovered a number of vulnerabilities and flaws in TJX's data security systems.
Under terms of the settlement TJX, which operates such popular off-price retail outlets as TJ Maxx, Marshalls and HomeGoods, has agreed to pay the participating states a total of $9.75 million. New Jersey, one of 11 states to serve on the multi-state group's Executive Committee will receive $431,609.
View settlement agreement
In addition to the payments, TJX has agreed to install and maintain a comprehensive Information Security Program that assesses internal and external risks to consumers' personal data, provides safeguards designed to protect that data, and regularly monitors and tests the effectiveness of those safeguards. The security program must be in place within 120 days of the settlement agreement's effective date. TJX must also obtain a third-party assessment of its Information Security Program and report regularly to the states on the program's performance.
“This is an important settlement, because it requires TJX to upgrade and strengthen its data security systems to a level commensurate with the size and complexity of its operations,” said Attorney General Milgram. “TJX is a major national and international retailer, and consumers who shop at its various stores should be able to do so with confidence that their credit card and other personal information is protected.”
In 2007, TJX announced that intruders had obtained unauthorized access to its computer systems in the two previous years, enabling them to seize cardholder data and other personal identifying information.
Specifically, the company disclosed that hackers had successfully intruded on data stored in the main server at TJX's Framingham, Mass. headquarters between July and November 2005, obtaining hundreds of thousands of names, addresses, social security numbers, military ID numbers and drivers' license numbers.
The company also disclosed that, between May and December 2006, hackers had captured consumer credit card data while it was in transit between TJX stores and the authorizing banks. It was estimated that at least 100 million credit card transactions had been compromised by the activity. There is no indication that New Jersey consumers were the victims of actual identity theft as a result of either breach.
In the wake of the TJX announcement, a coalition of Attorneys General conducted an extensive investigation into data security policies and procedures that had been in place at TJX when the breaches occurred.
The investigation uncovered a number of vulnerabilities and flaws in TJX's data security systems.
Popular News
Leave your Comments
Editor’s Pick
Esteemed Clients
-Ltd..jpg?tr=w-120,h-60,c-at_max,cm-pad_resize,bg-ffffff "Thermore (Far East) Ltd.")
.jpg?tr=w-120,h-60,c-at_max,cm-pad_resize,bg-ffffff "Telangana State Industrial Infrastructure Corporation Limited (TSllC Ltd)")
.jpg?tr=w-120,h-60,c-at_max,cm-pad_resize,bg-ffffff "Taiwan Textile Federation (TTF)")
