Washington State

Office of the Attorney General

Attorney General

Bob Ferguson

FOR IMMEDIATE RELEASE:

Company to pay $9.75 million to states to support data protection efforts

SEATTLE  – TJX Companies, Inc., agreed to pay $9.75 million to 41 attorneys general as a part of settlement that follows the states’ investigation concerning the retailer’s data security practices. Washington Attorney General Rob McKenna said $2.5 million will fund a Data Security Trust Fund to be used by the states to advance enforcement efforts and policy development in the field of data security.

 “Safeguarding personal information isn’t just good business, it’s crucial for our economy,” McKenna said.

“A data leak can cost a company millions of dollars,” McKenna explained. “Start with the cost of notifying victims, tack on the expense of lawsuits, implementing new security measures and ongoing marketing to repair a damaged reputation, and some businesses never recover.”

McKenna added that money from the settlement will supplement state efforts to enforce smart business practices and to educate businesses and consumers about how to protect personal information.

On January 17, 2007 TJX publically announced that it had experienced a massive data breach affecting credit card transaction information for thousands of consumers who had shopped at TJ Maxx, HomeGoods, A.J. Wright and Marshalls stores.

McKenna said today’s settlement reflects the lessons learned from that data breach and requires the most comprehensive relief achieved to date following a data breach investigation.

State attorneys general looked at whether TJX adequately protected customers’ financial information and sufficiently guarded against the breach. TJX cooperated fully in the investigation, which uncovered a number of vulnerabilities and flaws that allowed its computer system to be hacked and enabled the intrusion to remain undetected for years.

Washington will file its version of the settlement in Thurston County Superior Court. Senior Counsel Shannon Smith, an assistant attorney general in the Consumer Protection Division, represented Washington in the case. Smith said TJX did not admit any wrongdoing as part of the settlement, but agreed to implement an information security program designed to guard against future intrusions or unauthorized disclosures.

Washington will receive $54,000 from the settlement, of which $15,000 will be used to reimburse attorney costs and fees. The attorney general will decide later how the remaining funds will be spent.

Under the agreement, TJX will:

  • Upgrade all Wired Equivalency Privacy (WEP) based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access (WPA) wired systems;
  • Not keep credit card or debit card data on its network for any longer than necessary for legitimate business purposes;
  • Use firewalls, access controls and other appropriate measures to segment network-based functions that store, process or transmit personal information from the rest of the TJX computer system;

Implement proper security password management.

TJX will regularly monitor its system and obtain a third-party assessment of its security practices. It will report regularly to the attorneys general on the effectiveness of these precautions.

Attorneys general for the District of Columbia and the following states participated in the agreement: Alabama, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Iowa, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Vermont, Washington, West Virginia and Wisconsin.

Settlement


Media Contact:  Kristin Alexander, Media Relations Manager – Seattle, (206) 464-6432, kalexander@atg.wa.gov

Topic: