TJX gets 20 years of FTC scrutiny for security failures

Discount retail giant TJX today settled Federal Trade Commission charges that it failed to provide reasonable and appropriate security for sensitive consumer information.

The settlement requires that the company implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years. No fines or consumer reimbursements were part of the settlement.

TJX revealed last year that it had suffered a massive computer network security failure over a period of years that exposed over 100 million credit cards. The FTC settlement doesn't get the company out of the woods however as almost 40 states and other Federal investigations loom.

According to the FTC complaint, TJX, with over 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks. An intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX's stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores. Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued.

Specifically, the agency charged that TJX:

* Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;

* Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;

* Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;

* Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and

* Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.

Going forward the FTC settlement with TJX requires it to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. The settlement requires the program to contain administrative, technical, and physical safeguards and the sensitivity of the personal information it collects.

Specifically, the company must:

* Designate an employee or employees to coordinate the information security program;

* Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;

* Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;

* Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and

* Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs.

* The settlements also contain bookkeeping and record keeping provisions to allow the FTC to monitor compliance with its orders.

Layer 8 in a box

Check out these other hot stories:

US lacking secure national space strategy, GAO says

FTC takes aim at prepaid calling card giant

Superfund pig farm to become $45M solar energy site

Pentagon awards $15.7M to advance university science and engineering research

International cyber-cop unit girds for uphill battles

Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies