For Immediate Release
Media Contact: Bob Cooper
Date: June 23, 2009
Attorney General Reaches Data Breach Settlement with TJX Companies, Inc.
(Boise) – Idaho and 40 other states reached a legal settlement resolving an investigation of TJX Companies’ data security practices, Attorney General Lawrence Wasden said. The investigation resulted from a data breach in 2007 that placed thousands of consumers’ personal data at risk.
“TJX has agreed to take important steps to better protect its customers’ privacy,” Attorney General Wasden said. “Security breaches occur every day because businesses, schools, hospitals and government agencies fail to properly secure people’s private information.”
Today’s settlement requires TJX to implement an information security program designed to guard against future intrusions or unauthorized disclosures. The program assesses internal and external risks to consumers’ personal information, implements the safeguards that will best protect that consumer information and regularly monitors and tests the efficacy of those safeguards.
In 2007, after TJX announced that certain persons had obtained unauthorized access to its computer systems, enabling them to seize cardholder data and other personally identifiable information, a group of Attorneys General conducted an extensive investigation into the company’s data security systems and its security policies and procedures. The investigation uncovered alleged vulnerabilities in TJX’s data security systems that may have led to the security breach. TJX cooperated fully in the investigation.
TJX also agreed to pay the states $9.75 million. Idaho will receive $26,800 as a result of the settlement and will use its portion of the settlement money to enforce the state’s consumer protection laws. $2.5 million from the settlement will be deposited in a Data Security Fund. Distributions from the Fund will be made to states for data security enforcement.
Idaho’s security breach statute requires a business or other entity to notify consumers in the most expedient time possible after discovering a breach. An intentional failure to comply with the statute subjects the business to a $25,000 fine per breach.
- End -