The IT Law Wiki

Citation[]

In re TJX Companies, Inc., FTC File No. 072-3055 (Mar. 27, 2008).

Factual Background[]

According to the Federal Trade Commission's complaint, TJX Companies (TJX), with over 2,500 stores worldwide, failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks. An intruder exploited these failures and obtained information on 46.2 million consumer credit and debit cards that consumers used at TJX’s stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores. Banks have claimed that tens of millions of dollars in fraudulent charges have been made on the cards and millions of cards have been cancelled and reissued.

Specifically, the agency charged that TJX:

Agreement Containing Consent Order[]

The settlement with TJX requires it to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. The settlement requires the program to contain administrative, technical, and physical safeguards appropriate to the company’s size, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, TJX must:

The settlement requires TJX to retain independent, third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The auditors will be required to certify that the company’s security programs meet or exceed the requirements of the FTC's order and is operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected.

The settlement also contains bookkeeping and record keeping provisions to allow the agency to monitor compliance with its order.

External resource[]