TJX, the parent company of retailers T.J. Maxx and Marshalls and data brokers Reed Elsevier and Seisint reached settlements with the Federal Trade Commission last week in two unrelated data breach cases.
Both agreed to settle charges that each failed to provide reasonable and appropriate security for sensitive consumer information. The agreements require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years.
“By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure,” said FTC Chairman Deborah Platt Majoras in a news release. “Information security is a priority for the FTC, as it should be for every business in America.”
TJX said computer hackers stole credit card from at least 45.7 million credit and debit cards over an 18-month period beginning in Dec. 2002. The company discovered the apparent breach in December 2006. Also stolen during the period were drivers' license numbers and other personal data on 455 million people.
The FTC alleged that Reed Elsevier, through its LexisNexis data broker business, and Seisint allowed customers to use simple passwords to access Seisint's Accurint databases, which contained sensitive consumer information, including Social Security numbers and driver's license numbers. The FTC said that identity thieves exploited these security failures and accessed sensitive information about at least 316,000 consumers.
In related news, T.J. Maxx plans to hold a special one-day sales event as part of a class-action settlement concerning its data breach. According to a legal notice issued by the corporation, the company will hold a future one-day sale of 15 percent off everything in its stores. A blogger for Information Week has suggested some humorous slogans to help promote the event.
The Attorney General's Office encourages businesses to read this guide for protecting personal information.